Uploaded by ya jun jiang

Nuclear Policies

advertisement
TRAINING COURSE SERIES No. 15
Regulatory control of
nuclear power plants
Part A (Textbook)
INTERNATIONAL ATOMIC ENERGY AGENCY, VIENNA, 2002
The originating Section of this publication in the IAEA was:
Safety Co-ordination Section
International Atomic Energy Agency
Wagramer Strasse 5
P.O. Box 100
A-1400 Vienna, Austria
REGULATORY CONTROL OF NUCLEAR POWER PLANTS
PART A (TEXTBOOK)
IAEA, VIENNA, 2002
IAEA–TCS–15
ISSN 1018–5518
© IAEA, 2002
Printed by the IAEA in Austria
September 2002
FOREWORD
The purpose of this book is to support IAEA training courses and workshops in the
field of regulatory control of nuclear power plants as well as to support the regulatory bodies
of Member States in their own training activities. The target group is the professional staff
members of nuclear safety regulatory bodies supervising nuclear power plants and having
duties and responsibilities in the following regulatory fields: regulatory framework; regulatory
organization; regulatory guidance; licensing and licensing documents; assessment of safety;
and regulatory inspection and enforcement. Important topics such as regulatory competence
and quality of regulatory work as well as emergency preparedness and public communication
are also covered.
The book also presents the key issues of nuclear safety such as ‘defence-in-depth’ and
safety culture and explains how these should be taken into account in regulatory work, e.g.
during safety assessment and regulatory inspection. The book also reflects how nuclear safety
has been developed during the years on the basis of operating experience feedback and results
of safety research by giving topical examples. The examples cover development of operating
procedures and accident management to cope with complicated incidents and severe accidents
to stress the importance of regulatory role in nuclear safety research.
The main target group is new staff members of regulatory bodies, but the book also
offers good examples for more experienced inspectors to be used as comparison and
discussion basis in internal workshops organized by the regulatory bodies for refreshing and
continuing training.
The book was originally compiled on the basis of presentations provided during the
two regulatory control training courses in 1997 and 1998. The written presentations were
collected from the lecturers and compiled before and during the consultants meeting from 16–
20 November 1998 in Vienna, where final compilation was done. The textbook was reviewed
at the beginning of the years 2000 and 2002 by IAEA staff members and consistency with the
latest revisions of safety standards have been ensured. The textbook was completed in the
consultants meeting at the end of 2001 by adding updates on the Nuclear Safety Convention
and US regulatory practices.
The main purpose of the book is to provide written background material to the
participants and to support lecturers of the training courses on Regulatory Control of Nuclear
Power Plants. The idea is to present general practices recommended by the IAEA in its safety
guidance as well as country specific examples of how these general principles and
requirements have been implemented in various countries. Lecturers can provide detailed
information concerning their own countries and organizations but it is often difficult for them
to provide as detailed knowledge on other countries and organizations. Therefore different
examples are valuable for comparison.
The examples selected are representative, showing existing and functional practices,
and also provide a good selection of different practices adopted by different regulatory
organizations. They reflect practices in large and small countries and regulatory bodies. They
do not follow any particular regulatory practice but try to offer several alternatives to be useful
for many inspectors coming from different types of organizations.
The textbook has been compiled from the presentations provided during the training
courses on Regulatory Control of Nuclear Power Plants from 1997 to 2001. The written
presentations were collected from the lecturers and compiled before and during the
consultants meetings held 16–20 November 1998 and 1–5 October 2001 in Vienna by
K. Burkart, Germany, J. Libmann, France, C. Stoiber, United States of America. The IAEA
officer responsible for the publication was I. Aro of the Department of Nuclear Safety.
Ongoing responsibility lies with L. Lederman of the Division of Nuclear Installation Safety.
The course was organized eight times in Europe: in Slovakia, Finland, the Czech
Republic, Germany (four times) and the United Kingdom in 1994–2001 and two times in
Asia: in Indonesia and in the Republic of Korea. Some of the lecturers have participated in
several courses and are also the main contributors to the written text parts. Also several
German lecturers have contributed in various regulatory fields providing German examples.
The Gesellschaft für Anlagen und Reaktorsicherheit (GRS)mbH, Germany, Health and Safety
Executive, United Kingdom, Institute for Protection and Nuclear Safety (IPSN), France, and
Radiation and Nuclear Safety Authority (STUK), Finland, and the US Nuclear Regulatory
Commission provided material support in the form of examples.
EDITORIAL NOTE
The use of particular designations of countries or territories does not imply any judgement by the
publisher, the IAEA, as to the legal status of such countries or territories, of their authorities and
institutions or of the delimitation of their boundaries.
The mention of names of specific companies or products (whether or not indicated as
registered) does not imply any intention to infringe proprietary rights, nor should it be
construed as an endorsement or recommendation on the part of the IAEA.
CONTENTS
1.
LEGISLATIVE AND REGULATORY FRAMEWORK ................................................. 1
1.1.
1.2.
1.3.
1.4.
2.
IAEA approach to nuclear safety............................................................................. 1
1.1.1. Historical development ............................................................................. 1
1.1.2. IAEA Nuclear Safety Requirements and Guides ...................................... 2
1.1.3. IAEA requirements for the governmental level and for the operator........ 6
1.1.4. IAEA Requirements for nuclear safety legislation ................................... 6
1.1.5. Safety objectives and safety criteria for nuclear power plants .................. 7
International safety related conventions ................................................................ 12
1.2.1. Convention on Nuclear Safety ................................................................ 12
1.2.2. Other international nuclear safety related conventions ........................... 24
National regulatory framework ............................................................................. 27
1.3.1. The state, its structures and its duties...................................................... 27
1.3.2. Responsibilities of the four main organizations...................................... 29
1.3.3. Nuclear safety legislation ........................................................................ 31
1.3.4. National and international institutions for
matters of standardization ....................................................................... 33
1.3.5. Types of regulatory guidance .................................................................. 34
1.3.6. Safety criteria for nuclear power plants................................................... 35
Illustration through national examples .................................................................. 37
1.4.1. Finland..................................................................................................... 37
1.4.2. Germany .................................................................................................. 40
1.4.3. United Kingdom...................................................................................... 48
1.4.4. Governmental organization for nuclear safety in the USA ..................... 49
REGULATORY BODY .................................................................................................. 54
2.1.
2.2.
2.3.
2.4.
2.5.
Regulatory independence ...................................................................................... 54
Organization and functions of regulatory body ..................................................... 56
2.2.1. IAEA guidance for regulatory organization ............................................ 56
2.2.2. Examples of regulatory organizations ..................................................... 60
Licensing of a nuclear power plant........................................................................ 76
2.3.1. IAEA approach to licensing .................................................................... 76
2.3.2. Examples of licensing practices .............................................................. 77
Quality assurance, performance reviews and self-assessment in the
regulatory body...................................................................................................... 90
2.4.1. Quality assurance .................................................................................... 90
2.4.2. Performance reviews — IAEA IRRT services........................................ 92
2.4.3. Quality assurance and self-assessment in the regulatory body —
an example .............................................................................................. 93
Professionalism and training of regulatory body staff........................................... 96
2.5.1. Regulatory role and duties....................................................................... 98
2.5.2. Rights ...................................................................................................... 98
2.5.3. Obligations .............................................................................................. 99
2.5.4. Responsibilities ....................................................................................... 99
2.5.5. Relationships with the power company................................................. 100
2.5.6. Professional behaviour .......................................................................... 100
2.5.7. Inspection/auditing techniques .............................................................. 100
2.5.8. Inspection philosophy............................................................................ 101
2.5.9. Maintaining competence ....................................................................... 102
2.5.10. Training of inspectors............................................................................ 102
3.
ASSESSMENT OF SAFETY........................................................................................ 103
3.1.
3.2.
4.
INSPECTION AND ENFORCEMENT BY THE REGULATORY BODY ................ 155
4.1.
4.2.
5.
IAEA guidance for regulatory review and assessment ........................................ 103
3.1.1. Safety objectives and safety requirements for
review and assessment .......................................................................... 105
3.1.2. Areas for review and assessment........................................................... 106
3.1.3. Review and assessment methodology ................................................... 108
3.1.4. Quality assurance in the review and assessment process ...................... 115
3.1.5. Topics to be covered by regulatory review and assessment .................. 115
Country specific approaches and experience....................................................... 119
3.2.1. Deterministic safety approach — French experience............................ 119
3.2.2. Assessment of modifications — German and Finnish experience........ 133
3.2.3. Assessment of operational experience — French experience .............. 136
3.2.4. Periodic safety review, reassessment for renewing the
operating licence — French experience ................................................ 148
IAEA guidance on inspection and enforcement .................................................. 155
4.1.1. Regulatory inspection programme ........................................................ 157
4.1.2. Inspection areas ..................................................................................... 159
4.1.3. Implementation of an inspection programme........................................ 159
4.1.4. Enforcement actions.............................................................................. 165
Examples of specific inspections ........................................................................ 167
4.2.1. Regulatory inspection in Finland .......................................................... 167
4.2.2. Examples of specific inspections — German practices ........................ 179
4.2.3. Inspection practices in the United Kingdom ......................................... 199
DOCUMENTATION .................................................................................................... 213
5.1.
IAEA guidance for documents generated by the operator and the
regulatory body within an authorization process................................................. 213
5.1.1. Documents produced by the operator.................................................... 213
5.1.2. Documents produced by the regulatory body for a
specific facility ...................................................................................... 217
5.2. Country specific approaches and examples ............................................................ 223
5.2.1.
Use of licensing and commissioning documents in Finland ................ 223
5.2.2.
Structure and content of the QA manual (Germany)............................. 230
5.2.3.
Use of the licensing documents and updating procedures .................... 234
6.
DEVELOPING SAFETY .............................................................................................. 238
6.1.
The role of the regulator in the development of safety culture............................ 238
6.1.1. Stage of safety culture — safety is solely based on
rules and regulations.............................................................................. 239
6.1.2. Stage of safety culture — good safety performance is an
organizational goal ................................................................................ 240
6.1.3.
6.2.
6.3.
7.
EMERGENCY ARRANGEMENTS............................................................................. 278
7.1.
7.2.
7.3.
7.4.
7.5.
7.6.
7.7.
7.8.
7.9.
7.10.
7.11.
8.
Stage of safety culture — safety performance can
always be improved............................................................................... 240
6.1.4. General practices to develop organizational effectiveness.................... 242
The role of assessment in the development of safety culture .............................. 246
6.2.l.
How to measure safety culture .............................................................. 246
6.2.2. Organizational issues............................................................................. 248
6.2.3. Regulatory issues................................................................................... 250
6.2.4. Employee issues .................................................................................... 253
6.2.5. Plant conditions and trending................................................................ 256
Illustration through national examples ................................................................ 256
6.3.1. Risk-informed, performance-based regulation in the USA................... 256
6.3.2. German safety culture experiences........................................................ 262
6.3.3. Interface of regulator and operator — Finnish experience.................... 269
Warning of the emergency management authorities ........................................... 278
Response of the emergency management authority ............................................ 280
Assessment .......................................................................................................... 281
Monitoring and measurements ............................................................................ 282
Intervention.......................................................................................................... 283
Plans, resources, work sheets, guidance.............................................................. 284
Communication with the media and the public................................................... 285
Decision support systems .................................................................................... 286
Protection of emergency workers ........................................................................ 286
Training and exercises......................................................................................... 287
Co-operation with neighbouring States ............................................................... 288
COMMUNICATION WITH THE PUBLIC.................................................................. 288
8.1.
8.2.
General information ............................................................................................ 288
8.1.1. Role of the regulatory authority ............................................................ 288
8.1.2. Fundamentals of nuclear communications ............................................ 290
Country specific approaches and experience....................................................... 292
8.2.1. Establishing a public information policy in Finland ............................. 292
8.2.2. Criteria for reporting operating events .................................................. 293
8.2.3. STUK’s quarterly reports on the operation of nuclear power plants..... 294
8.2.4. Technical tools to offer prompt information ......................................... 295
8.2.5. Communication is intensified during an incident ................................. 295
8.2.6. The INES classification is a useful tool in informing the public .......... 297
8.2.7. Observations about crisis communication............................................. 298
APPENDICES
Appendix I:
Examples of evolution of an operation manual —
Operating procedures ................................................................................. 301
Appendix II:
Complementary operating conditions ........................................................ 307
Appendix III:
Preparation for the management of severe accidents ................................. 316
Appendix IV:
List of the IAEA safety requirements and guides ..................................... 334
Appendix V:
List of Finnish YVL guides........................................................................ 338
Appendix VI:
IAEA International Nuclear Events Scale (INES) ..................................... 341
Appendix VII:
Regulatory control of nuclear power plants —
Syllabus and example course programme (Karlsruhe, 2000) .................... 347
REFERENCES....................................................................................................................... 351
CONTRIBUTORS TO DRAFTING AND REVIEW............................................................ 353
1. LEGISLATIVE AND REGULATORY FRAMEWORK
1.1. IAEA APPROACH TO NUCLEAR SAFETY
1.1.1. Historical development
From the very beginning of research and industrial development towards peaceful use
of nuclear energy, safety was an important concern and “prevention” was also identified as an
important and effective safety factor. Considering the history of industrial development, this is
one of the first instances, if not the first example, where those in charge of research,
development and industrial realisation were aware not only of the dangers associated with
implementation of the new energy source but also the need to consider safety as a condition
for further realisation. The importance of nuclear safety has been recognised since the early
phase of nuclear power plant development.
After about a quarter of a century of independent national development of nuclear
reactors in a few countries (1950–1975), the need and usefulness of considering the “new”
technology at the international level was felt and has lead to corresponding actions. The
following illustrates the development:
The strong need of international co-operation resulted in the creation of the IAEA in
1956. The objectives and functions of the IAEA are presented in the Statute of the IAEA. The
Article II presents the essence: “The Agency shall seek to accelerate and enlarge the
contribution of atomic energy to peace, health and prosperity throughout the world. It shall
ensure, so far as it is able, that assistance provided by it or at its request or under its
supervision or control is not used in such a way as to further any military purpose.” The
Article III lists main functions of the IAEA including “fostering the exchange of scientific and
technical information”, “encouraging the exchange and training of scientists and experts” and
“establishing standards of safety for protection of health and minimization of danger to life
and property, and providing for the application of these standards to its own operations as
well as to operations making use of IAEA materials, services and information”.
The start, in 1974, of the IAEA NUSS Programme [1] for nuclear power plants
followed, after 10 years of good international co-operation, by the publication of 5 codes of
practice and about 60 safety guides in the IAEA Safety Series. On the basis of experience and
new developments, at both the technological and the “philosophical” level, revision of these
documents has been decided and began at the end of 1980s. This work is still going on to have
a complete revised set of nuclear Safety Standards including Safety Fundamentals,
Requirements and Guides. In 2000, new revised Requirements were published [2–6].
During the last 10 to 15 years, time and effort have been invested in further
international co-operative thinking and discussion on nuclear safety. Results and conclusions
have been and continue to be published by several international organizations, especially by
IAEA in its Safety Series. International nuclear safety advisory group (INSAG) has produced
useful basic philosophical reports such as expression of the basic safety principles which are
reflected in the IAEA Safety Fundamentals [7, 8] and development of concepts e.g. defence in
depth [9] and safety culture [10].
1
In addition to the safety of nuclear power plants, other safety areas are being
considered. The management of radioactive waste and the transport of nuclear materials are
among the most important of these areas.
The future role of nuclear energy depends on a consistent, demonstrated record of
safety in all applications. Although IAEA is not an international Regulatory Body, its nuclear
safety efforts are directed towards creating multilateral, legally binding agreements, which are
increasingly important mechanism for improving nuclear safety, radiation safety and waste
safety around the world. This is done by means of International Conventions (e.g. nuclear
safety, civil liability, early notification of nuclear accidents and radiological emergencies,
mutual assistance in case of nuclear accidents and radiological emergencies, radioactive waste
management, physical protection [11–14]). International conventions are binding legal
instruments for the countries that sign and ratify them.
The Convention on Nuclear Safety (for nuclear power plants) has been put into force
on October 24, 1996, and is presently in the phase of implementation [11, 14]. A “sister”
Convention on the safety of radioactive waste management has been put into force on 18 June
2001 [13].
1.1.2. IAEA Nuclear Safety Requirements and Guides [1]
1.1.2.1. Development of IAEA Requirements and Guides
The development of nuclear and radiation safety Standards is a statutory function of the
IAEA, which is unique in the United Nations system. The IAEA Statute expressly authorizes
the Agency “to establish standards of safety” and “to provide for the application of these
standards”. Over the years, more than 200 safety standards have been published in the IAEA´s
Safety Series of publications:
x The Nuclear Safety Standards (NUSS);
x The International Basic Safety Standards for Protection Against Ionising Radiation and for
the Safety of Radiation Sources (the Basic Safety Standards), with supporting documents;
x The Radioactive Waste Safety Standards (RADWASS); and
x The Regulations for the Safe Transport of Radioactive Material.
In 1996, a new uniform preparation and review process was introduced, covering all
areas in which the IAEA establishes safety standards. As a consequence, the IAEA´s Safety
Series was being replaced by two new series of safety-related publications, namely:
x The Safety Standards Series;
x The Safety Reports Series.
The purpose is to separate those IAEA Safety Standards publications which spell out
safety objectives, concepts, principles, requirements and guidance — as a basis for national
regulations, or as an indication of how various safety requirements may be met — from those
publications which are issued for the purpose of fostering information exchange in safety.
The publications in the Safety Standards Series will be issued pursuant to the IAEA´s
statutory function to establish safety standards. The publications in the Safety Reports Series
2
will be issued for the purpose of providing information on ways of ensuring safety
(essentially, they will replace the IAEA´s safety practices documents and other publications).
The change took effect in 1996, with the publication in the safety standards series of
the latest edition of the regulations for the safe transport of radioactive material As Safety
Standards Series No. ST-1.
The Safety Standards Series comprises the following levels of documents:
x Safety Fundamentals.
x Safety Requirements.
x Safety Guides.
The series cover nuclear safety, radiation safety, waste safety, and transport safety. It
also covers general topics (such as governmental organization, quality assurance, and
emergency preparedness) relevant to all four of those fields that will be dealt with in a
separate category of general safety documents.
The Safety Fundamentals Documents are the policy documents of the IAEA Safety
Standards series. They state the basic objectives, concepts and principles involved in ensuring
protection and safety in the development and application of atomic energy for peaceful
purposes. They state — without providing technical details and, as a rule, without going into
the application of principles — the rationale for actions necessary in meeting safety
requirements. There are currently three Safety Fundamentals Documents: for nuclear safety,
radiation safety and waste safety. The IAEA has started actions to combine these documents
into one Safety Fundamentals document that then covers all these areas.
The Safety Requirements deal with the basic requirements that must be met in order to
ensure the safety of particular activities. These requirements are governed by the basic
objectives, concepts and principles presented in the safety fundamentals documents. The
written style (with “shall” statements) is that of regulatory documents so that States may adopt
the Safety Requirements at their own discretion, as national regulations. Earlier these safety
requirements documents were called as Codes [5, 6].
The Safety Guides documents contain recommendations (with “should” statements),
based on international experience, regarding measures to ensure that the safety requirements
are met. But unless alternative equivalent measures are implemented, the “should” statements
become “shall” requirements.
IAEA Safety Standards have been developed on the basis of international consensus and
as such they reflect very widely accepted safety levels. During the development or revision of
a safety standard all member states have the possibility to present their comments on the welldeveloped draft document, and these comments are taken into account in the final draft that is
sent to NUSSC and CSS for approval. Final approval to take the safety standard into use is
given either by the Director General or Board of Governors depending on the level of the
safety standard. IAEA Safety Standards present some kind of minimum internationally
acceptable level. As such they do not necessarily reflect current requirement level in a specific
country. In some countries, the requirement level for certain issues may be higher for various
reasons, e.g. because of density of population. Each country should define its own acceptable
3
Atomic
La w
IAEA Sa fety
Stand a rd s Series
IAEA Sa fety
Rep orts Series
Dec ree
Fund a menta ls
Reg ula tion
Req uirements
Reg ulatory Guid es
Sa fety Guid es
Ind ustria l Sta nd a rd s
FIG. 1. The hierarchy of legal and regulatory documents and their comparison with the
IAEA Safety Standards.
safety level on the basis of local conditions and governmental practices. In this work the IAEA
Safety Standards are useful because they show key issues and present possible acceptable
solutions. If there are large deviations compared to the internationally agreed safety level,
special consideration should be given to these issues. Figure 1 relates the IAEA Safety
Standards to national nuclear law, regulations and regulatory guides.
The list of IAEA Safety Standards in the field of nuclear facilities is presented in
Appendix IV. The current status of the standards development is presented on the IAEA
Internet site: www.iaea.org/ns/coordinet. The most recent standards are also available through
Internet from the site: www.iaea.org/Worldatom/Books/Featured Series/index.shtml, where
the actual standards can be read and printed in pdf format.
In addition to the IAEA Safety Fundamentals, Safety Requirements and Guides there is
also an international agreement, the Convention on Nuclear Safety (Vienna, 1994). This
agreement is signed and ratified by the governments of participating countries and with the
ratification the countries bind themselves to fulfil the requirement level presented in the
convention. The level defined by the Convention on Nuclear Safety is very similar to what is
defined by the IAEA Safety Fundamentals. It is important to note that the IAEA Safety
Standards are not binding documents in the member states.
In accordance with the importance of safety IAEA provided for a Commission of
Safety Standards (CSS) as a standing body of senior government officials holding national
responsibilities for establishing standards and other regulatory documents relevant to nuclear,
radiation, waste and transport safety. It has a special overview role with regard to the IAEA’s
Safety Standards and provides advice to the Director General on the overall programme
related to safety standards. Figure 2 shows an organization chart of the CSS’s committees
inside the IAEA.
4
FIG. 2. The committees for IAEA Safety Standards.
1.1.2.2. Safety requirements
The IAEA has set up the Safety Requirements (earlier Codes), providing a good basis
for the safety of nuclear power plants. Today also the principles recommended by the INSAG
are followed by member states. They include the basic safety principles for NPP, which have
greatly influenced the development of the safety requirements.
In the following a brief outline of the safety requirements are given (see also
Appendix IV):
Governmental organization: The requirements deal with establishing a Regulatory Body,
covers aspects related to the radiological safety of the general public and site personnel and
gives general requirements for organization of the Regulatory Body, the role and
responsibilities of the Regulatory Body, the basic requirements imposed on an applicant, the
licensing process and licensing decisions, and inspection and enforcement by the Regulatory
Body [2].
Design: The requirements give the basic safety requirements that must be incorporated in the
concept and in the detailed design in order to produce a safe plant. Following general practice,
the requirements present the concept of defence in depth, e.g. successive barriers to prevent
the escape of radioactive material. In case of the failure of a barrier, design provisions are
made available to mitigate the consequences of such failures [3].
Operation: The prime responsibility for the safety of the plant rests with the operating
organization. This is the basic concept underlining the requirements for operation. The
requirements deal with safety related aspects of operation including: operating limits and
conditions, commissioning, structure of the operating organization, operating instructions and
procedures, maintenance, testing, inspection, core management and fuel handling, review of
operation and feedback of experience, emergency preparedness, radiation protection and
decommissioning [4].
5
Siting: The requirements specified in the siting Code (not yet revised) deal with the evaluation
of site-related factors to be taken into account to ensure that the plant-site combination does
not constitute an unacceptable risk during the life time of the plant. This includes evaluation
of the potential effect on the site of natural and other phenomena that might affect the area
(i.e. earthquakes, floods, aircraft crashes, chemical explosions), evaluation of effects of the
plant itself on the site (i.e. dispersion of effluents in air and water), and consideration of
population distribution and emergency planning. The Code also covers the role of the owner
of the future plant and the regulatory body in siting [5].
Quality assurance: The requirements specified in the quality assurance (QA) code provide an
efficient management tool that could be used by both the plant management and the regulatory
organization to gain confidence in the safety and quality of a nuclear power plant. The
QA requirements oblige plant designers, constructors, installers and operators to plan,
conduct, and document their work systematically. This allows the verification of all activities
not only by physical inspection or testing of hardware in the plant but also through indirect
methods such as evaluation of the effectiveness of the respective QA programmes [6].
1.1.3. IAEA requirements for the governmental level and for the operator [2]
There are certain prerequisites for the safety of facilities and activities presented in the
Safety Series Documents of the IAEA. These give rise to the requirements presented in
Table I that shall be fulfilled by the legislative and governmental mechanisms of member
states. They cover the establishment of legislation and regulatory framework including
regulator’s independence and authority. They also refer to international safety related
conventions, treaties and agreements which need to be taken into account in the legislation
such as definition of liabilities in respect of nuclear damage and provision of financial
security. They stress also that the regulatory body needs advisory committees, technical
support and regulatory research to support its activities. Safety of facilities contains also
management of spent fuel and nuclear waste, safe transport of nuclear material and
arrangements by governmental emergency response and physical protection.
The prime responsibility for safety shall be assigned to the operator. The operators have
the responsibility for ensuring safety in the siting, design, construction, commissioning,
operation and decommissioning or closure of their facilities, including, as appropriate,
rehabilitation of contaminated areas, and for activities using, transporting or handling
radioactive material. The radioactive waste generators shall have the responsibility for the safe
management of the radioactive waste that they produce. During transportation of radioactive
material, primary reliance for safety is put on the use of approved packaging. Compliance with
the requirements imposed by the regulatory body does not relieve the operator of its prime
responsibility for safety. The operator demonstrates to the satisfaction of the regulatory body
that this responsibility has been and will continue to be discharged.
1.1.4. IAEA requirements for nuclear safety legislation [2]
Legislation is promulgated to provide for the effective control of nuclear, radiation, waste and
transport safety. The IAEA requirements for legislation are presented in Table II. Most of the
requirements for the governmental level also appear as requirements for legislation.
6
TABLE I. IAEA REQUIREMENTS FOR THE GOVERNMENTAL LEVEL [2]
x To establish a legislative and statutory framework to regulate the safety of facilities and activities;
x To establish and maintain a regulatory body which shall be effectively independent from
organizations or bodies charged with the promotion of nuclear technologies or responsible for
facilities or activities. This is necessary so that regulatory judgements can be made, and
enforcement actions taken, without pressure from interests that may compete with safety;
x To assign responsibility to the regulatory body for authorization, regulatory review and
assessment, inspection and enforcement, and for establishing safety principles, criteria,
regulations and guides;
x To provide the regulatory body with adequate authority, power, staffing and financial resources to
discharge its assigned responsibilities;
x To ensure that no other responsibility is assigned to the regulatory body which may jeopardise or
conflict with its responsibility for regulating safety;
x To ensure that adequate arrangements are made for decommissioning, close out or closure, site
rehabilitation and the safe management of spent fuel and radioactive waste;
x To ensure that adequate arrangements are made for the safe transport of radioactive material;
x To establish, if necessary, advisory committees to assist the government and the regulatory body
on safety issues;
x To establish governmental emergency response and intervention capabilities;
x To ensure the adequacy of physical protection arrangements, where they influence safety;
x To provide for adequate financial indemnification arrangements for third parties in the event of a
nuclear or radiation accident in view of the potential damage and injury which may arise from an
accident; and
x To provide for the technological infrastructure necessary to support the safety of facilities and
activities, where these are not provided by other organizations.
If other authorities, which may not meet the requirements of independence, are involved in the
granting of authorizations, it is ensured that the safety requirements of the regulatory body are
not ignored or modified in the regulatory process.
1.1.5. Safety objectives and safety criteria for nuclear power plants
1.1.5.1. Safety objectives
Establishing and maintaining safety is the main purpose for establishing an adequate
framework for surveillance and control of all activities associated with nuclear installations.
For the sake of clarity for all parties involved it is therefore a “must” to give them the frame in
which they can or have to act. The essential part of this frame is a coherent set of safety
objectives. Such a set of safety objectives indicates what has to be achieved, but does not
impose or prescribe the way to reach it.
The essence of the IAEA requirements on nuclear safety published in the nuclear safety
standards documents has been formulated in three overall safety objectives. These three
overall safety objectives read as follows [8].
7
TABLE II. IAEA REQUIREMENTS FOR NUCLEAR LEGISLATION [2]
x
Set out objectives for protecting individuals, society and the environment from radiation hazards,
both for the present and in the future;
x
Specify facilities, activities and materials that are included in the scope of the legislation and
what is excluded from the requirements of any particular part of the legislation;
x
Establish authorization and other processes (e.g. licensing, registration, notification, exemption),
taking into account the potential magnitude and nature of the hazard associated with the facility
or activity and define the different steps of the processes;
x
Establish a regulatory body with authority;
x
Arrange for funding of the regulatory body adequate for it to function effectively;
x
Specify the process for removal of a facility or activity from regulatory control;
x
Provide a procedure for review of, and appeal against, regulatory decisions (without
compromising safety);
x
Allow for the creation of independent advisory bodies to provide expert opinion and consultation
for the government and regulatory body;
x
Set up a means whereby research and development in important safety areas is carried out;
x
Define liabilities in respect of nuclear damage;
x
Set out the arrangements for provision of financial security in respect of any liabilities;
x
Set out the responsibilities and obligations in respect of financial provision for radioactive waste
management and decommissioning;
x
Define what is an offence and the corresponding penalties;
x
Implement any obligations under international treaties, conventions or agreements;
x
Define the involvement of the public and other bodies in the regulatory process; and
x
Specify the nature and extent of retrospective application of new requirements to existing
facilities and activities.
General nuclear safety objective
To protect individuals, society and the environment from harm by establishing and
maintaining in nuclear installations effective defences against radiological hazards.
Radiation protection objective
To ensure that in all operational states radiation exposure within the installation or due
to any planned release of radioactive material from the installation is kept below prescribed
8
limits and as low as reasonably achievable, and to ensure mitigation of the radiological
consequences of any accidents.
Technical safety objective
To take all reasonably practicable measures to prevent accidents in nuclear installations
and to mitigate their consequences should they occur; to ensure with a high level of
confidence that, for all possible accidents taken into account in the design of the installation,
including those of very low probability, any radiological consequences would be minor and
below prescribed limits; and to ensure that the likelihood of accidents with serious
radiological consequences is extremely low.
All other principles and criteria relevant to nuclear safety and radiation protection are
derived from these three overall safety objectives. In its report [7], the International Nuclear
Safety Advisory Group has formulated a number of these derived principles and proposed one
possible way of presenting them graphically in a hierarchical presentation and, as they are not
independent from each other, showing also their interrelationship. As they are the immediate
sources of corresponding safety criteria, they will be considered together with such criteria. In
preparing the safety fundamentals, NUSSC went even further in condensing the principles
derived from the three basic safety objectives and identified 25 basic safety principles (see
Table III), which have been taken up as technical basis for the Nuclear Safety Convention (see
Table IV). The defence in depth concept and engineered safety features are dealt with in
Section 3.
1.1.5.2. Basic safety principles
It is useful to see what kind of safety principles have been presented for nuclear power
plants in the safety fundamentals document. Table III summarizes the basic safety principles.
These principles should form a basis for national safety criteria (see 1.3.6). The principles for
governmental organization are described in 1.1.3 and 1.1.4.
The following is an extract of the Safety Fundamentals [8] presenting safety principles
for nuclear power plants:
Management of safety
x Organizations engaged in activities important to safety should establish policies that give
safety matters the highest priority, and shall ensure that these policies are implemented
within a managerial structure having clear divisions of responsibility and clear lines of
communication.
x Organizations engaged in activities important to safety shall establish and implement
appropriate quality assurance programmes that extend throughout the life of the
installation, from siting and design through to decommissioning.
x Organizations engaged in activities important to safety shall ensure that there are sufficient
numbers of adequately trained and authorized staff working in accordance with approved
and validated procedures.
9
TABLE III. 25 IAEA SAFETY PRINCIPLES PRESENTED IN THE SAFETY
FUNDAMENTALS
Government/Organization
x
x
x
x
x
x
x
x
Legislation
Operator’s responsibility
Independent regulator
Safety policy: safety first
QA programmes
Competent staff
Human performance
Emergency response
Design of NPP
Operation of NPP
x Siting
x Prevention of accidents
x Defence in depth
x Proven technology
x Man-machine interface
x Radiation protection
x Safety assessment &
independent verification
x Commissioning
x
x
x
x
x
x
x
x
x
Operational limits and conditions
Competent operators & procedures
Engineering & technical support
Emergency operating procedures
Operating experience feedback
Waste management
Decommissioning
Verification: analysis & surveillance
Systematic safety reassessment
x The capabilities and limitations of human performance shall be taken into account at all
stages in the life of the installation.
x Emergency plans for accident situations shall be prepared and appropriately exercised by
all organizations concerned. The capability to implement emergency plans shall be in
place before an installation commences operation.
Siting
x The site selection shall take into account relevant features that might affect the safety of
the installation, or be affected by the installation, and the feasibility of carrying out
emergency plans. All aspects shall be evaluated for the projected lifetime of the
installation and re-evaluated as necessary to ensure the continued acceptability for safety
of site related factors.
Design and construction
x The design shall ensure that the nuclear installation is suited for reliable, stable and easily
manageable operation. The prime goal shall be the prevention of accidents.
x The design shall include the appropriate application of the defence in depth principle so
that there are several levels of protection and multiple barriers to prevent releases of
radioactive materials, and to ensure that failures or combinations of failures that might
lead to significant radiological consequences are of very low probability.
x Technologies incorporated in a design shall be proven or qualified by experience or testing
or both.
x The systematic consideration of the man-machine interface and human factors shall be
included in all stages of design and in the associated development of operational
requirements.
10
x The exposure to radiation of site personnel and releases of radioactive materials to the
environment shall be made by design as low as reasonably achievable.
x A comprehensive safety assessment and independent verification shall be carried out to
confirm that the design of the installation will fulfil the safety objectives and requirements,
before the operating organization completes its submission to the regulatory body.
Commissioning
x Specific approval by the regulatory body shall be required before the start of normal
operation on the basis of an appropriate safety analysis and a commissioning programme.
The commissioning programme shall provide evidence that the installation as constructed
is consistent with design and safety requirements. Operating procedures shall be validated
to the extent practicable as part of the commissioning programme, with the participation of
the future operating staff.
Operation and maintenance
x A set of operational limits and conditions derived from the safety analysis, tests and
subsequent operational experience shall be defined to identify safe boundaries for
operation. The safety analysis, operating limits and procedures shall be revised as
necessary if the installation is modified.
x Operation, inspection, testing and maintenance and supporting functions shall be
conducted by sufficient numbers of adequately trained and authorized personnel in
accordance with approved procedures.
x Engineering and technical support, with competence in all disciplines important for safety,
shall be available throughout the lifetime of the installation.
x The operating organization shall establish documented and approved procedures as a basis
for operator response to anticipated operational occurrences and accidents.
x The operating organization shall report incidents significant to safety to the regulatory
body. The operating organization and the regulatory body shall establish complementary
programmes to analyse operating experience to ensure that lessons are learned and acted
upon. Such experience shall be shared with relevant national and international bodies.
Radioactive waste management and decommissioning
x The generation of radioactive waste, in terms of both activity and volume, shall be kept to
the minimum practicable by appropriate design measures and operating practices. Waste
treatment and interim storage shall be strictly controlled in a manner consistent with the
requirements for safe final disposal.
x The design of an installation and the decommissioning programme shall take into account
the need to limit exposures during decommissioning to as low as is reasonably achievable.
Prior to the initiation of decommissioning activities, the decommissioning programme
shall be approved by the regulatory body.
11
Verification of safety
x The operating organization shall verify by analysis, surveillance, testing and inspection
that the physical state of the installation and its operation continue in accordance with
operational limits and conditions, safety requirements and the safety analysis.
x Systematic safety reassessments of the installation in accordance with the regulatory
requirements shall be performed throughout its operational lifetime, with account taken of
operating experience and significant new safety information from all relevant sources.
1.2. INTERNATIONAL SAFETY RELATED CONVENTIONS
1.2.1. Convention on Nuclear Safety
1.2.1.1. Introduction
Prior to adoption of the Convention on Nuclear Safety (CNS) [11], the control and
regulation of nuclear energy for peaceful purposes was governed almost exclusively by the
domestic national laws of states using nuclear technology. An important result of the
Convention was to bring the subject of nuclear safety within the ambit of international law for
the first time.
When a state adheres to an international treaty or convention, such as the CNS, that
action has both internal and external legal consequences. Adopting an international instrument
requires a state to conform its internal laws and regulations to the terms of that instrument.
However, by adopting the instrument, a state also incurs obligations to all other states that are
party to the instrument. This means that a state’s activities regarding nuclear safety are
properly subject to review and assessment by other states, through the processes and
procedures contained in the CNS. Under this legal regime, states now have a right (indeed, an
obligation) to make judgements about how other States are conducting their nuclear safety
activities, and whether they are complying with their obligations under the convention.
Three aspects of the Convention on Nuclear Safety are important in understanding its
status as an international law instrument. First, it is useful to provide a context for the CNS by
reviewing the historical and political background of its development and to outline its basic
character under international law. Second, an article-by-article review of the convention’s
substantive provisions is necessary to clarify the overall structure and content of its
obligations. And third, a discussion of the procedural mechanism set forth in the CNS is
essential to understand how it is implemented, both within States and multilaterally.
12
1.2.1.2. Historical and political background
Origins of the Convention on Nuclear Safety
As stated, from the beginning of the nuclear age, regulation of the safety of nuclear
facilities was deemed a matter of strictly national jurisdiction. However, the major reactor
accident at Chernobyl in the USSR (now Ukraine) in 1986 fundamentally changed the
thinking of both the public and governments on this approach. Because of the transboundary
impacts of the accident, many governments urged that an international legal instrument be
adopted to codify basic measures that States should follow to ensure an appropriate level of
safety at their nuclear installations. Immediately following the accident, a number of member
states of the IAEA called for negotiation of a nuclear safety convention. However, at that time
there was insufficient political will to go forward, and the initiative languished for several
years.
Negotiation of the CNS
In September 1991, the General Conference of the IAEA adopted a resolution
requesting the Director General to establish an informal open-ended working group to develop
the text of a safety convention. The terms “informal” and “open-ended” meant that the
convention text would be developed by a body comprised of safety experts, rather than
governmental representatives with firm political instructions, and that the body would be open
to all interested IAEA member states. The work of the expert group was not a formal
diplomatic negotiation, but an extended technical and legal process conducted in some nine
meetings over a 3 year period. This approach permitted consultations on the text to be quite
flexible; less shaped by political considerations than the technical and managerial principles of
good practice on nuclear safety. The working document for the CNS was the IAEA Safety
Fundamentals document which reflected a consensus of technical experts over the previous
years. The fundamental task of the working group was to convert the principles in this nonbinding guidance document into provisions that states would be willing to accept as binding
under international nuclear law. This process obviously involved many compromises and
reformulations. For this reason, the CNS text differs in some respects from the underlining
safety fundamentals documents.
After the open-ended working group produced a basic text, a more formal phase of the
negotiations was needed to transform the informal document into an instrument that could be
codified into international law. In June 1994 a Diplomatic Conference was convened to enable
accredited government representatives to produce such an instrument. The month-long
Diplomatic Conference considered a wide range of controversial issues, and was able to adopt
a consensus text. The Convention was opened for signature by States at the September 1994
IAEA General Conference. However, even after acquiring a number of signatures, a
convention is not legally effective until the required number of States have completed their
domestic procedures to formally approve it. By 1996 the required number of countries (in this
case, 27) had formally completed their internal reviews and expressed approval of the text.
Thus, the CNS entered into force as binding on its parties in October 1996. Some countries
(including the United States of America) delayed approval because of complex internal
procedures or policy reasons. The CNS has now been adopted by substantially all countries
operating nuclear power reactors and several that do not. At the time this book was prepared,
there is only one country that has a nuclear power installation and is not a CNS Party.
13
Basic character of the Convention
The basic character of the Convention is an important issue. International instruments
come in different forms, and the CNS could have been much different in its fundamental
approach to enhancing nuclear safety worldwide.
One type of instrument could be characterized as a “Regulatory Convention”. Such a
Convention would have established reasonably concrete rules for States that would be subject
to supervisory measures implemented by an international secretariat. An example of such an
instrument is the Nuclear Non-Proliferation Treaty (NPT). It establishes an obligation for a
State party to accept the application of IAEA safeguards to certain nuclear activities under its
jurisdiction. And the IAEA has established and maintains a professional Department of
Safeguards to conduct inspections and other procedures in individual countries. During
negotiation of the CNS, it was clear that few countries wanted a regulatory convention in the
field of nuclear safety. They were willing to accept a number of obligations under
international law, but were not willing to have those obligations monitored or enforced by an
international regulatory body. The IAEA role in CNS implementation is, thus, quite limited —
unlike the NPT. The IAEA has promulgated important safety guidance documents that help in
the application of the Convention’s substantive obligations. And the IAEA conducts safety
missions, at the request of its member states, that can help demonstrate compliance with a
nation’s CNS its obligations under the Convention. However, these missions are not
inspections, and their results do not amount to a regulatory system.
A second type of instrument under international law could be called a “Sanctions
Convention”. Such conventions or instruments establish very clear obligations that, if
violated, can lead to stringent penalties or enforcement measures by other parties. Many such
instruments cover commercial or trade relationships, where violations can result in financial
penalties or the withdrawal of economic benefits. During negotiations of the CNS, it became
clear that involved experts and delegations were not interested in a sanctions regime where
States parties would be subject to specific penalties for lack of compliance.
The rejection of the “regulatory” and “sanctions” approaches led the negotiators to focus
on a third alternative. For lack of a better term, that came to be known as an “Incentive
Convention”. An “Incentive Convention” is basically an instrument that contains a set of
international obligations and an implementation process that produces political pressure on a
State to comply with its obligations conscientiously and rigorously. In the case of the CNS,
implementation is grounded in a so-called “peer review process” in which states prepare
national reports demonstrating their compliance with the CNS and other countries are given
an opportunity to review and comment on those reports at periodic meetings of the parties.
This “peer review process” was judged most likely to encourage conscientious application of
the CNS, without the disadvantages of a “regulatory” or “sanctions” approach.
1.2.1.3. Initial provisions
A number of initial provisions in the CNS are important to understanding how the
instrument is to be implemented.
14
Preamble of the Convention
The preamble of an international Convention is set forth at the beginning of the
instrument to explain its underlying factual and policy bases. The CNS preamble consists of
ten paragraphs, only a few of which are of particular interest.
Paragraph (iv) of the preamble establishes the desire of the parties to promote an
effective nuclear safety culture. This is the only place in the Safety Convention where the term
safety culture is mentioned. Safety culture is a central concept for the enhancement of nuclear
safety. However, the concept is difficult to define and inherently impossible to establish as a
specific international law obligation. Nevertheless, the CNS parties felt that the importance of
safety culture should be emphasized, recorded the need to promote the concept in the
convention’s preamble.
Paragraph (v) of the preamble recognizes that accidents at nuclear installations have the
potential for transboundary impacts. This is one of the fundamental reasons why it is desirable
to have an international treaty covering the subject.
In a very important paragraph (viii), the preamble describes the relationship of
fundamental safety principles developed by the IAEA to the international law obligations
contained in the CNS. Some governments wanted to have the Convention including a
provision that would have adopted IAEA Safety Standards as international law obligations.
However, as mentioned earlier, most States were not willing to give principles developed as
voluntary guidelines a binding legal effect. However, most states agreed that the CNS should
include some recognition of the value of IAEA Standards in achieving safety. Paragraph (viii)
in the preamble seeks to accomplish this objective in the following statement: “recognizing
that this Convention entails a commitment to the application of fundamental safety principles
for nuclear installations rather than of detailed safety standards, and that there are
internationally formulated safety guidelines which are updated from time to time and so can
provide guidance on contemporary means of achieving a high level of safety”. There was also
general agreement that IAEA Safety Standards could be referred to by parties in explaining
how they had implemented specific articles of the convention. Therefore, IAEA Safety
Standards have been imported indirectly into the CNS as an efficient way of demonstrating
how a party has complied with its obligations.
Paragraph (viii) recognizes another important aspect of nuclear safety; namely, that
technical and management approaches evolve over time. One of the concerns expressed by
some experts in negotiating the CNS was how the instrument could codify standards or rules,
but do so in a way that would enable them to adjust to change. The CNS parties acknowledge
this issue in paragraph (viii) of the preamble, which states the view that practical
implementation of the CNS can benefit from referring to the evolving body of internationally
formulated (i.e. IAEA) standards to help achieve the Convention’s objectives.
Objectives of the Convention
Although the provisions of international conventions that define their objectives are not
— strictly speaking — obligations, they are important as a means for interpreting and applying
these legal instruments. If an obligation in a convention is unclear or contradictory, the
objectives of the instrument — as stated in an introductory article — can be used to interpret
its proper meaning.
15
In Article 1 the CNS explicitly identifies the following three objectives:
x
To achieve and maintain a high level of nuclear safety worldwide through the
enhancement of national measures and international co-operation including, where
appropriate, safety-related technical co-operation;
x
To establish and maintain effective defences in nuclear installations against potential
radiological hazards in order to protect individuals, society and the environment from
harmful effects of ionizing radiation from such installations;
To prevent accidents with radiological consequences and to mitigate such consequences
should they occur.
x
Scope of the Convention
A threshold issue for any legal instrument is to determine what activities it will cover.
This basic issue was debated in both the expert working group and at the Diplomatic
Conference. Many countries sought a broad scope of coverage, to include not only power
reactors, but also research and test reactors, fuel cycle facilities, nuclear waste management
and even military activities. Other countries felt that including several major subjects in one
instrument would create difficulties: first, in obtaining approval of the CNS under their
national systems; and second, to in implementing an efficient and effective review process
under the CNS. It was finally decided that the primary focus should be on nuclear power
reactors: first, because such installations posed the greatest risks of major injury (including
transboundary damage); and because a clearer expert consensus had been developed on
fundamental safety elements for power reactors.
Therefore, Article 3 defines the scope of the Convention as covering nuclear
installations (defined in Article 2.i) as land based civil nuclear power reactors). The CNS
includes one limited exception to the exclusion of nuclear waste; namely, it also covers
storage, handling and treatment facilities for radioactive materials that are on the same site
and directly related to the operation of the installation.
Implementing the CNS through national law
Article 4 of the Convention states that a contracting party “shall take, within the
framework of its national law, the legislative, regulatory and administrative measures and
other steps necessary for implementing its obligations under this convention.” This provision
explicitly recognizes the “internal” legal effect of the CNS mentioned earlier. Some
international lawyers might argue that Article 4 is not needed, because international law
principles require every country to implement its treaty obligations in good faith, which
includes making any necessary changes to domestic legal provisions.
Safety of existing installations
The most difficult article in the CNS is Article 6: Existing nuclear installations. It was
the most contentious provision in the convention, as well as the last article to be agreed at the
diplomatic conference. Article 6 deals with the issue that engendered the political pressure to
negotiate the Convention in the first place; namely, how to ensure the safety of nuclear
installations constructed to earlier standards. In reality, this article covers all power reactors in
16
operation at the time the CNS entered into force. However, its real focus is reactors
constructed without robust containment structures and without application of other modern
“defence-in-depth” principles. The primary debate was over what actions countries should
take regarding installations that arguably lack modern safety features. Some experts argued
that an installation should be considered “safe enough” if it complied with requirements
existing at the time it was constructed and first operated. Most parties, however, felt that such
an approach would be inconsistent with the primary objective of CNS; namely, to raise
nuclear safety levels. The requirements of Article 6 fall into four categories.
x
First, a state party is to take appropriate steps to ensure that safety is reviewed as soon as
possible. This means that operators and regulators must examine the safety case for
existing reactors. The article does not detail how this is to be done. However, by
implication, the review must be based on up-to-date standards.
x
Second, a state party must ensure that all reasonably practicable improvements are made
to upgrade safety. This does not mean that all measures to improve safety must be taken,
but that those that are reasonable from a technical, economic, management perspective
should be implemented in a timely manner.
x
Third, if a state party cannot upgrade its nuclear installations to this new level of safety, it
has to make plans to shut them down.
x
Fourth, the timing of shut-down can take into account various factors, including the
whole energy context, possible alternatives and social, environmental and economic
impact.
The most contentious debate revolved around defining the factors to be considered in
shutting down a reactor that would not meet the current highest level of safety. The factors
finally adopted obviously represent a compromise between States that wanted a very stringent
safety-related standard for shutdown and those that wanted other factors to be considered. In
the final analysis, the extended list of factors that may be considered includes so many nonsafety-related elements that the provision fails to provide any precise guidance on whether a
particular facility should be shut down. However, the presence of Article 6 in the CNS means
that parties must include information on their reviews of existing facilities in their respective
national reports and must justify any decision to continue to operate installations that do not
meet current safety standards.
1.2.1.4. Technical provisions of the CNS
Having considered the history of the Convention and some of the initial provisions that
describe its basic character and approach, it is necessary to review its so-called “technical
articles”; namely, those that contain the specific obligations of parties under the CNS regime.
Legislative and regulatory framework
The first section of technical articles deals with general safety considerations, beginning
with the important subject of legislative and regulatory framework.
17
Article 7 requires a State Party to establish and maintain a legislative and regulatory
framework for nuclear safety, a framework that includes the classic elements of regulation:
safety requirements and regulations; a system of licensing; inspection and assessment; and an
enforcement process.
Article 8 sets forth requirements for the regulatory body, including the essential
elements of adequate authority, competence and financial and human resources to fulfil its
assigned responsibilities. This article also treats the very important issue of the regulatory
independence, stating that contracting parties must take appropriate steps to ensure an
effective separation between the functions of the regulatory body and those of any other body
or organization concerned with the promotion or utilization of nuclear energy. This “effective
separation” principle lies at the heart of regulatory independence.
Article 9 is a very important codification of the well-recognized principle that the
operator of the facility has the primary responsibility for safety. Although other actors in the
nuclear field (architects, engineers, regulators, contractors, suppliers) have important roles to
play in achieving safety, the operating organization is the entity that must finally ensure that
an installation is safe.
General safety considerations
The general safety consideration part of the Convention consists of seven separate
provisions (Articles 10–16): priority to safety; financial and human resources; human factors;
quality assurance; assessment and verification; radiation protection; and an important article
on emergency preparedness. These articles have been drafted as broad principles and apply to
all aspects of a nuclear installation. Since most are self-explanatory, their language will not be
reviewed in detail. As will be evident, they codify well-understood concepts in nuclear safety,
such as the ALARA (as low as reasonably achievable) principle for radiation protection
(Article 15). It is also interesting to note, however, that this section contains the only provision
specifically directed to States that do not operate nuclear facilities. Article 16.1.3 requires
parties that do not have a nuclear installation on their territories to prepare and test emergency
plans to cover possible radiological emergencies resulting from a nuclear installation in the
vicinity.
Safety of installations
The next section of the Convention (Articles 17–19) covers familiar safety-related
subjects, including siting, design, and operation of nuclear installations. Article 18 codifies
other familiar safety principles, including defence in depth, human factors and the manmachine interface. Article 19 — Operation is the longest technical article in the Convention,
containing eight separate sub-articles that were originally drafted as separate articles. This
article codifies a number of familiar nuclear safety principles, including: operational limits
(sub-article ii); incident reporting (sub-article vi); analysis of operating experience (sub-article
vii); and waste minimization (sub-article viii). Table IV summarizes these provisions, not all
of which will be discussed in detail.
1.2.1.5. Implementation process under the CNS
Because of its “incentive” character, the CNS review process lies at the heart of the
convention. The basic model for this process was the review process under the Nuclear Non
18
Proliferation Treaty. Many international conventions or treaties conduct review processes.
Each such process is somewhat different, reflecting the particular subject matter and policy
considerations in the field of its coverage. Under the CNS, the parties were constructing — for
the first time — a review process to apply to nuclear reactor safety.
Basic requirements for the review process
The provisions dealing with how this review process is to be structured are found in
Chapter 3 — “Meetings of the Contracting Parties” (Articles 20–28). These provisions are
extremely general, leaving most of the decisions concerning the form and content of the
review process to the procedural rules that will be developed later. Several important
provisions should be noted:
x The first authorizes the formation of sub-groups for the purpose of reviewing specific
subjects contained in the national reports mandated in Article 5 (Article 20.2). As will be
seen, this Article 20.2 provision was basically re-written by the parties when they decided
that sub-groups would not be organized by subject.
TABLE IV. TECHNICAL PROVISIONS OF THE CONVENTION ON NUCLEAR
SAFETY
Legislation and regulation
x Legislation and regulatory
framework
x Safety requirements and
regulations
x System of licensing
x Regulatory inspection and
assessment
x Enforcement
x Regulator with authority
x Independent regulator
x Operator’s responsibility
General safety
consideration
x Priority to safety
x Financing for safety
x Competence of staff
x Human performance
x Quality assurance
x Safety assessment
x Verification: analysis
and survey
x Radiation protection
x Emergency preparedness
Safety of installation
x Siting: effect of environment to
NPP
x Siting: effect of NPP to
environment
x Siting: re-evaluation/consulting
x Design: defence in depth
x Design: proven technology
x Easily manageable operation
x Initial authorization and
commissioning
x Operational limits and conditions
x Procedures for operations, etc.
x Emergency operating procedures
x Engineering and technical support
x Incident reporting
x Operating experience feedback
x Waste management
x A second provision says that contracting parties shall have a “reasonable opportunity” to
discuss the reports of others Article 20.3). The article leaves unspecified what should be
considered a “reasonable opportunity”.
x The third requirement is that the parties will conduct a preparatory meeting within six
months after entry in the force of the Convention to develop the procedures for the review
process. (Article 21.1). Also, the first review meeting is to be conducted no later than two
19
and half years after entry into force (Article 21.2). The interval between the meetings
should be no longer than 3 years (Article 21/3).
x Procedural arrangements for the meetings of the parties are to be contained in rules of
procedure and financial rules to be adopted by a consensus of the parties (Article 22).
x An important provision (Article 24) requires parties to attend meetings, one of the few
concrete obligations (in addition to preparing a national report) in the CNS.
x Article 27 permits parties to seek confidentiality of information they provide.
x And finally, Article 28 provides that the IAEA “shall provide the secretariat” for the
meetings.
Phases of the CNS review process
Even a close reading of Chapter 3 of the CNS will not provide the reader with a clear
picture of how the Convention’s review process is to be conducted. To simplify a somewhat
complicated subject, the review process can be divided into six phases:
x Phase 1 — Each State party prepares a national report, describing how it has met the
obligations contained in the Convention;
x Phase 2 — States parties receive the national reports of all other parties and review them
(this means that each country must consider some 50 reports);
x Phase 3 — States parties develop questions and comments that are transmitted to the
relevant countries through the respective country group co-ordinators not less than
60 days before the meeting;
x Phase 4 — States parties attend the CNS review meeting in Vienna, where they discuss
the reports of other parties in country groups, present their own national reports and
respond to questions and comments submitted prior to the meeting and any made during
country group sessions;
x Phase 5 — Country group rapporteurs develop an oral report to be delivered at the final
plenary identifying main issues, themes or conclusions arising from group discussions;
x Phase 6 — The entire meeting of the parties considers and approves by consensus a
summary report of the overall meeting prepared by the President.
National reports
Article 5 contains one of the few precise obligations in the convention; namely, to
prepare and make available a national report, including a self-assessment of steps and
measures taken to implement the convention. Failure to prepare such a report constitutes one
of the few clear cases in which a violation of the CNS can be demonstrated. Neither the CNS
text nor the procedural rules provide much guidance on the form, content or length of these
reports. The preparatory meeting adopted rule 40.2, which recognizes that each party has the
right to submit reports with the “form, length and structure” it believes necessary. With
45 countries preparing national reports, a very complex set of documentation could have
resulted, making the task of comparing and contrasting the nuclear safety situation in different
20
countries very difficult. However, most countries did what is reasonable, following the basic
outline of the CNS articles. Also, at the first review meeting, most national reports turned out
to be less than 100 pages in length.
Neither the CNS text nor the procedural rules indicate who is responsible for preparing
the national reports? The Convention only establishes a national obligation to report, an
obligation that can be implemented by any nationally-designated entity. The issue of who
prepares the report bears an interesting relationship to Article 9, which provides that primary
responsibility for the safety of a nuclear installation rests with the operator. Given this
provision, one might have expected national reports to be prepared in substantial part by
operating organizations. In fact, at the first review meeting, national reports were prepared by
the regulatory organization in each country.
Country groups
When a national report is prepared and submitted, what happens at the meeting to
implement the “peer review” that lies at the heart of this “incentive” convention? One of the
central issues debated at the preparatory meeting of CNS I was whether you would organize
sub-groups on the basis of subject matter (as the language of Article 20.2 suggests) or on
some other basis, such as geographic grouping or technology (e.g. certain reactor types). A
consensus finally concluded that safety should be viewed as a whole for each country.
National reports should be reviewed comprehensively to assess the overall status of nuclear
safety in each country. It follows that the best way accomplish this overall review is to form
sub-groups organized by countries.
The preparatory meeting basically decided how many countries could be reviewed in the
time available (two weeks) and divided the 45 parties into a corresponding number of groups
(six), each with 7 or 8 members. This arrangement allowed one day for the review of the
national report of each nuclear -power state, with less time for non-nuclear-power states. In
assigning countries to groups, it was decided that diverse groups would produce a better
review. Therefore, countries were assigned according to the number of reactors they operated.
The country with largest number of reactors was assigned to group 1; the country with the
second largest number to group 2; the country with the third largest number to group 3; and so
forth.
After an introductory presentation by the reporting country, the country groups
discussed each national report in detail. This discussion had been previewed in questions and
comments submitted previously through designated country group coordinators.
Confidentiality
A contentious issue during the CNS negotiations concerned whether some or all of the
CNS process, including national reports should be kept confidential. The issue is important
because of its relation to the central concept of the Convention as an “incentive” instrument.
Many governments argued that, unless national reports were made public, and the CNS review
also conducted openly, the Convention would not achieve one of its important — though
unstated — objectives: to increase public confidence in the safety of nuclear installations.
Other governments argued strongly that a public review process would be a disincentive for
many countries to be candid about the problems they might be experiencing in nuclear safety.
The result was that countries were allowed to submit confidential reports (Article 27.1 and
21
27.2) and that the debates during the review of reports would be confidential (Article 27.3).
However, in the CNS I process, no national report was submitted as confidential. Indeed, most
of the national reports were placed by their countries on the Internet. However, the discussions
in country groups and plenary debates at CNS I were held in confidence, with only the
summary report under Article 25 made public.
Languages
The issue of what languages could be used in the CNS review was expected to create
difficulties, given the fact that the United Nations system recognizes six official languages. It
was recognized that interpretation of the meeting and translation of documents into all six
languages would be enormously expensive, far beyond the budgets of the parties or the IAEA.
To cut the cost of review, there were proposals to adopt a single working language. Article 26
preserves the principle that all official languages are equal, providing that the languages of the
meetings of the CNS contracting parties shall be Arabic, Chinese, English, French, Russian
and Spanish. However, a pragmatic and financially acceptable compromise was provided to
permit adoption of one or more working languages under the rules of procedure. The rules of
procedures for the first meeting provided, that in any meeting of the review process a country
can request one of the official languages. However, most of the sessions were conducted in
English — as the primary working language — with some sessions being conducted with
Russian translation. This made the costs of interpretation/translation much less expensive.
Rapporteurs’ oral reports and records of the CNS meeting
Under the procedural rules, a oral report by a rapporteur from each country group was to
be made at the final plenary meeting. These oral reports were to provide the basis for the
written summary report provided by Article 25. It was decided that notes upon which the oral
reports be prepared by the rapporteurs would be kept as permanent records by the IAEA
Secretariat. Country group sessions were to be conducted on a confidential basis, with no
records. The issue of record-keeping for plenary sessions was treated separately under rule 42,
where it was agreed that plenaries would be electronically recorded. However, due to a
bureaucratic oversight, no such recordings were made, except for the final day’s plenary. As a
result of these procedural decisions, the documentary records of the CNS review meetings are
very sparse. The most substantive information is contained in the oral reports of country group
rapporteurs, whose notes are available only to CNS parties.
Summary report of the review meeting
Article 25 of the CNS provides that the contracting parties “shall adopt, by consensus,
and make available to the public a document addressing issues discussed an conclusions
reached during the meeting.” With 45 separate states represented at the meeting, any one of
which could block consensus on the wording of such a report, it is — perhaps — surprising
that the President of the first CNS review meeting (Mr. Lars Högberg of Sweden) was able to
produce an eight-page summary report that achieved consensus.
Results of the first CNS review meeting (CNS I)
The first review meeting of the contracting parties of the CNS, conducted in April 1999
was attended by 45 contracting parties. As discussed previously, the primary achievement of
this meeting was to establish detailed procedural and financial arrangements for a process that
22
was left quite vague in the text of the Convention itself. Except for three non-nuclear
countries, all parties met their fundamental obligations to prepare national reports (Article 5)
and to be represented at the meeting (Article 24.1). These national reports, most of which
were made public (many on the world wide web), represent a useful record of the state of
nuclear safety worldwide as of the end of the last millennium. They provide a baseline for
future assessment of whether levels of nuclear safety in any particular country, or generally,
are being raised or are deteriorating. As also mentioned, the country groups at CNS I
conducted active discussions of the nuclear safety programmes of each party, with oral reports
in the final plenary by group rapporteurs. The final summary report prepared by the President
and agreed by consensus also contains some indicative observations on matters important to
enhancing nuclear safety. Some of the most notable are the following:
x The legislative framework is well established in most countries;
x Some countries who started their nuclear programme some decades ago have found that
their legislation now needs updating;
x All contracting parties had established regulatory bodies. For some countries, questions
were raised as to the effective independence, administrative position, and the human and
financial resources of their regulatory bodies;
x The status and position of the regulatory bodies remains an important topic to be dealt
with in future national reports and review meetings. Special attention should be given to
the development of assured human and financial resources;
x The advantages and limitations of regulations of a detailed prescriptive nature as
compared to less prescriptive, goal oriented approaches and the complementary use of risk
based assessments were discussed. Although no preferable approach was identified, some
countries have agreed to review their experience and report at the next review meeting.
The second CNS review meeting (CNS II)
The schedule for the second CNS review meeting is April 2002. A preparatory meeting
conducted in September 2001 decided to make only very modest adjustments to the process
used for the first meeting in 1999. The rules of procedure and financial rules for this process
were amended only to provide that the chairs and rapporteurs in any country group are not
nationals of any state in that group. This addresses the potential conflict-of-interest problem
raised at the first meeting, where — in some few instances — country group chairs or
rapporteurs took decisions concerning the safety record of their own countries. As a result of
new parties and some changes in the nuclear programme of states parties, the composition of
country groups at the CNS II are different. Some differences of emphasis in the review at
CNS II can be expected. At CNS I, substantial attention was paid to the legislative and
regulatory framework of each party; a threshold issue that need not be repeated, unless a
country has revised its laws or reorganized its regulatory institutions.
23
1.2.2. Other international nuclear safety related conventions
1.2.2.1. Convention on Early Notification of a Nuclear Accident [12]
The Convention on Early Notification of a Nuclear Accident establishes a notification
system for nuclear accidents that have the potential for international transboundary release that
could be of radiological safety significance for another state.
The objective of the Convention is to provide relevant information about nuclear
accidents as early as possible in order that transboundary radiological consequences can be
minimized. The scope of the Convention is any accident involving facilities or activities from
which a radioactive release occurs or is likely to occur and which may result in a
transboundary release that could be of radiological safety significance for another state.
Facilities or activities involved are: nuclear reactor; fuel cycle or waste handling facility or
respective transportation and storage; manufacture, use, transport or disposal of radioisotopes.
Obligations of contracting parties are the following: A state party having a nuclear or
radiological accident going on in its territory shall:
x Make the accident known to the IAEA and other states parties competent authorities and
points of contact;
x Notify those states which may be affected the nature, time of occurrence and exact location
of the nuclear accident;
x Provide promptly the states affected with such available information relevant to minimize
the radiological consequences;
x Respond promptly to a request for further information or consultations sought by affected
state party;
x Ensure the provision of further information: e.g. Facility or activity, cause and foreseeable
development, meteorological and hydrological conditions, and off-site protective measures
taken or planned; and
x To supplement information at appropriate intervals.
Obligations to the IAEA are the following:
x To ensure confidentiality of confident information (applies also to other state parties);
x To maintain an up-to-date list of points of contact and provide it to others;
x To assist non-nuclear countries in investigations concerning radiation monitoring systems;
x To provide depositary functions.
1.2.2.2. Convention on Assistance in the case of a Nuclear Accident or Radiological
Emergency [12]
The Convention on Assistance in the case of a Nuclear Accident or Radiological
Emergency sets out an international framework for co-operation among parties and with the
24
IAEA to facilitate prompt assistance and support in the event of nuclear accidents or
radiological emergencies.
Objectives of the Convention are:
x To establish an international framework to facilitate prompt provision of assistance in the
event of a nuclear accident or radiological emergency to mitigate its consequences;
x States parties shall co-operate between themselves and with the IAEA to facilitate prompt
assistance;
x States parties may agree on bilateral arrangements for preventing or minimizing injury and
damage.
Scope of the Convention is the following: In the event of a nuclear accident or
radiological emergency, whether or not such an accident or emergency takes place in one’s
own country, a state party may call for assistance from any other state, IAEA or other
international intergovernmental organizations where appropriate.
Obligations of contracting parties are as follows:
x A requesting state party shall specify the scope and type of assistance needed and provide
the information necessary for determining the extent of assistance to be given;
x A state party to which a request is directed shall promptly decide and notify whether it is
in a position to render the assistance requested and in which extent;
x IAEA shall respond to a request for assistance, make available appropriate resources,
transmit promptly the request to other states and international organizations and coordinate the assistance at international level;
x The assisting state shall, designate a person responsible for staff and equipment delivered,
co-ordinate the assistance relating medical treatment, make efforts to co-ordinate release
of information;
x The requesting state shall co-ordinate the assistance in its territory, provide local facilities
and services for effective administration, ensure the protection of personnel and equipment
delivered, facilitate entry, stay and departure of personnel, ensure the ownership and return
of equipment, afford privileges and immunities to personnel.
The state parties shall inform points of contact to the IAEA and others, identify and
notify the IAEA about experts, equipments and materials which could be delivered, protect
the confidentiality of confidential information, facilitate transit through its territory of duly
notified personnel, and co-operate to facilitate the settlement of legal proceedings and claims.
The IAEA shall:
x Collect and disseminate information concerning experts, equipment and materials
available,
x Develop methodologies and techniques to response to nuclear accidents;
x Assist a state party in preparing emergency plans and appropriate legislation;
x Develop training programmes for personnel;
25
x Transmit requests for assistance and maintain an up-to-date list of points of contact;
x Establish and maintain liaison with relevant international organizations;
x Offer its good offices in the event of accident and perform depositary functions.
1.2.2.3. The Joint Convention on the Safety of Spent Fuel Management and on the Safety of
Radioactive Waste Management
The Joint Convention on the Safety of Spent Fuel Management and on the Safety of
Radioactive Waste Management was adopted at a Diplomatic Conference in September 1997
and has been put into force 18 June 2001 [13].
Preamble of the Convention presents the following background: Radioactive waste
should be disposed of in the state in which it was generated whilst recognizing that safe and
efficient management might be fostered through agreements among contracting parties. Any
state has the right to ban import of foreign spent fuel and radioactive waste. Also the
importance of informing the public on the issue has been recognized. Application of relevant
safety standards should be promoted and the international control system should be
strengthened.
Scope of the Convention covers Safety of Spent Fuel and Radioactive Waste
Management excluding off-site transportation and discharges.
Each contracting party shall take appropriate steps to ensure that individuals, society and
the environment are adequately protected against radiological hazards. Safety aspects are
continuously taken into account.
Each contracting party shall take legislative, regulatory and administrative measures and
other steps necessary to implement its obligations. Regulatory body should have an adequate
authority, competence and financial and human resources to fulfil its assigned responsibilities
and have effective independence from other functions. Prime responsibility rests with the
holder of the licence or with contracting party if there is no license holder.
Each contracting party shall submit for review a report to each review meeting of
contracting parties. The report shall address the measures taken to implement each of the
obligations of the convention. The report should address contracting party’s spent fuel
management policy and practices, radioactive waste management policy and practices, criteria
used to define and categorize radioactive waste and include a list of spent fuel management
and waste management facilities.
The IAEA shall:
x Provide the secretariat for the meetings of the contracting parties, convene, prepare and
service the meetings;
x Transmit information received or prepared in accordance with the convention;
x Provide other services in support of meetings as requested by consensus;
x Be the depository of the convention.
26
1.2.2.4. Convention on civil liability for nuclear damage
Following the Chernobyl accident, the IAEA initiated work on all aspects of nuclear
liability with a view to improving the basic conventions on Civil Liability for Nuclear
Damage and establishing a comprehensive liability regime. In 1988, as a result of joint efforts
by the IAEA and OECD/NEA, the joint protocol relating to the application of the Vienna
Convention and the Paris Convention was adopted. The joint protocol established a link
between the Conventions combining them into one expanded liability regime. Parties to the
joint protocol are treated as though they were parties to both conventions and a choice of law
rule is provided to determine which of the two conventions should apply to the exclusion of
the other in respect of the same incident [14].
1.3. NATIONAL REGULATORY FRAMEWORK
1.3.1. The state, its structures and its duties
The state is basically characterized by its sovereignty, which is the basis for
establishing an orderly society. One way of realising and maintaining such a society rests on
adequate structures (national authorities, social, economical and/or industrial organizations)
and on fulfilling corresponding duties. Usually, these duties and structures are distributed in
four levels according to their nature and the competencies they need for implementation. The
first three levels involve the national authorities, namely: (1) the legislative level (parliament);
(2) the executive level (government); (3) the judiciary level (court). These are the regulators.
The fourth level has a different nature and covers the many social, economical and industrial
aspects; it includes all those (individuals and organizations) living and acting under the law of
the state in various areas such as industry, trade, handicraft, business organizations,
agriculture, etc. At that fourth level, we find all those that have to or want to do some
“business”. They are the regulated.
To illustrate this in the nuclear energy perspective, it is useful to mention the main
functions, duties and responsibilities of organizations (and individuals) at these different
levels.
The legislative (parliament) defines and promulgates the legislative frame in which
man and society can develop initiative and activities, (e.g. use of nuclear energy). It sets (by
legislation) an acceptable frame to allow such activities, i.e. giving individuals or
organizations the freedom to undertake such activities, but also setting limits to this freedom,
so as to ensure protection of other people and society. The parliament establishes further the
competence and gives the means to (legally) control activities.
The government (executive) implements the legislation (e.g. though execution of
control and surveillance of nuclear facilities); it creates adequate conditions for beneficial
activities (e.g. adequate education). The government is further responsible for ensuring that
any and all activities remain within the legislative frame, within the acceptable limits and
harmless to others. As a consequence, the government has the competence and duty to control
such activities and the power to intervene in order to prevent harmful evolution (e.g. though
licensing, review and assessment, inspection and enforcement).
27
The court (judiciary) will judge, if necessary, the legality of decisions and actions and
make decisions in cases of contradictory opinions among the “regulated” or between the
regulator and the regulated.
Concerning the fourth level, covering the whole of the regulated industry, which is
very broad, a short characterisation would be either trivial or incomplete; some consideration
will be given below in the Chapter on “responsibilities of the four main actors” in connection
with the industry in charge of implementing a nuclear energy programme.
In the implementation of a national nuclear energy programme, the key-elements are
then: the state and the people of state, the state's legislative (parliament) and the state's
executive (government), various governmental bodies, in particular the regulatory body (for
nuclear safety), and the industry (involving organizations such as utilities and manufacturers).
Concerning the conditions of success of performance, a few rules have to be applied and
respected:
x The role of each organization has to be clearly defined;
x Each organization has to know perfectly its role and has to have competence;
x Each organization is responsible for its own actions;
x Co-operation and co-ordination are to be ensured for the success of the performance;
x Each organization knows and respects the role of the others (i.e. responsibilities and
competence of the others).
The word “responsibilities” appears in many aspects as an important key word.
Responsibilities are in particular always characterised by the following:
x Responsibilities must be clearly defined;
x Responsibilities cannot be shared;
x Responsibilities cannot be delegated.
When an organization bears a specific responsibility, it is always on individuals
belonging to that organization that duties and responsibilities will fall. These are the duties to
— and the responsibilities for — implementing the actions necessitated by taking charge of
the organization's responsibility. These duties will fall first on the organization's head, who
may and usually will delegate parts of the actual work to other individuals within the
organization. But to be noted is the following: despite the distribution of tasks to a set of
individuals — and of the associated individual responsibilities — the organization as such
remains fully responsible for the whole undertaking, and the organization's head remains fully
responsible for the whole work done by his personnel.
The nuclear safety convention, recognising implicitly this, underlines that the state is
responsible for all nuclear installations established on the territory over which it has
jurisdiction. Implementation of this responsibility takes place at several levels and in different
areas. In particular, the responsibility for safety lies with the operating organization. The other
organizations are responsible to establish and maintain adequate conditions so that the
operating organization can fulfil its responsibilities successfully.
28
1.3.2. Responsibilities of the four main organizations
Looking in more detail at the roles of these four organizations we identify the main
characteristics of their duties and responsibilities as well as the interrelationships at the
implementation level.
1.3.2.1. Legislative (parliament)
The legislative (parliament) is responsible for establishing the necessary legislative
framework. That means:
x To allow development of the use of nuclear energy (if the nation has decided to do so).
That means practically to facilitate the realisation of the nuclear energy programme
(promotion); and
x To control through dedicated state's (governmental) organs, i.e. regulatory body, the
realisation of the nuclear energy programme or the operating organization(s), in order to
ensure the protection of the population against the associated risk.
These two tasks are not to be opposed to each other, but they have rather to be
considered as complementary. This is essential and leads to the necessary requirement of
independence of the various organizations.
The second task covers one aspect of implementation and responds to the statement
expressed in the nuclear safety Convention with the phrase “The state is responsible for
nuclear installations”.
1.3.2.2. Government
The government, which is the executive that must implement the state's duties and
activities within the frame established by the legislative (parliament), is for fulfilling the
following global tasks:
x Establishing and maintaining the conditions necessary for controlling from the safety
viewpoint the implementation of the “nuclear energy programme” at all its stages (i.e.
siting, construction, commissioning, operation and decommissioning). This means
enacting an adequate legal framework.
x Establishing and maintaining the dedicated state's organs (regulatory body) to implement
the state's surveillance and control of nuclear energy use within the legislative and
regulatory framework. This implies among other things: establishing the legal power of
the regulatory body as well as assuring adequate resources in manpower and funding for
its efficient functioning.
x Protecting of the population against the risk associated with the use of nuclear energy,
developing and establishing the regulatory framework to govern efficiently the state's
surveillance and control of all stages of the nuclear energy programme.
With respect to the legal framework, there are four primary objectives of the legislation;
namely to provide:
29
x The statutory basis for establishing the regulatory body;
x The legal basis for ensuring the realisation of nuclear power plants without undue
radiological risk;
x The regulatory body with the power to establish and enforce regulations with respect to
nuclear safety;
x The financial indemnification in case of severe accident (this is closely associated with
third party liability);
x The regulatory framework for radiological protection of persons of the population and of
workers as part of public health for all sources of ionising radiation and establish the
corresponding surveillance body within the governmental organization. The legislation
must also establish whether the regulatory body in charge of nuclear safety should also be
responsible for the surveillance of “on-nuclear” sources of ionising radiation.
1.3.2.3. Regulatory body
The term “regulatory body” is used in the IAEA Standards to define an authority or a
system of authorities designated by the government as having legal authority for conducting
the regulatory process, including issuing authorizations, and thereby regulating nuclear,
radiation, radioactive waste and transport safety. It includes the national competent authority
for the regulation of radioactive material transport safety. The number of authorities which
comprise the regulatory body and the relationships between them depends on the overall
organization and traditions of a state’s administration.
For any regulatory body, a prerequisite for discharging the responsibility for state's
surveillance is total independence of judgement and of regulatory decision. Therefore, the
regulatory body cannot bear other responsibilities, particularly responsibilities that could
conflict with safety concerns.
In discharging its responsibility for safety, the regulatory body has to endorse
regulatory functions and to perform regulatory actions. This includes establishment and
implementation of the regulatory framework, assessment of safety, licensing decisions,
inspection and enforcement; evaluation of the feedback of experience; keeping abreast of the
state of the art in science and technology; public information. This will be discussed in more
detail in Section 2 as well as in all other Sections.
1.3.2.4. The industry (electrical utilities, operating organizations, manufacturers/suppliers)
Under this designation, the industry is a complex set of different organizations made
up of the operating organization, of the designer and constructor of the nuclear reactor, of
various suppliers, of industrial organizations doing work under contract for the operating
organization etc.
The industry is in charge of realising the nuclear energy programme and, in so doing,
has the duty to propose ways and means to attain the programme's objectives (and also the
freedom to propose adequate technical solutions). But, by so doing, the industry is responsible
for setting its projects within the legislative and regulatory framework and will also be
responsible for respecting the requirements as well as limits and conditions imposed by the
regulatory body for safety reasons.
30
It is important to note here that, depending on the basic legal system of the state the
industry may be either a state or governmental institution (state economy) or a group of
private or corporate enterprises (market economy). In both cases, but particularly in the former
case, the legislative framework should ensure real independence of the regulatory body from
the industry.
It is clear that the operating organization has an essential and central role and,
therefore, bears an important responsibility. This has been largely and internationally
recognised and is reflected in several fundamental IAEA publications and, last but not least,
this has been explicitly formulated in the Convention on Nuclear Safety (Article 9). In short,
one basic principle is: “The operating organization bears the prime (or overall) responsibility
for safety”. Because this prime responsibility cannot be delegated the operating organization
assumes globally the sum of “partial responsibilities” attributed to designers, constructors,
suppliers, etc. during the realisation of the project (or programme). This requirement is
implicitly mentioned in the national legislation of many countries. This sets also the
framework for dealing with the important question of civil liability: only the operating
organization can and has to be declared civilly liable.
1.3.3. Nuclear safety legislation
1.3.3.1. Distribution of regulatory requirements between laws, regulations and guidelines
Establishing and amending laws lies in the competency of the parliament: once they
have been approved and put into force, the laws constitute a stability factor as it takes time
and effort to modify them (needing a new discussion in parliament); they are therefore also
somewhat inflexible. Lower tier legislation is usually enacted by the government in its own
competencies and does not need parliamentary approval, but it may also take time and effort
to amend them or to prepare new ones. This is a reason for avoiding fixing too many details in
the legislation; the law should be limited to establish the general frame in which a set of
activities is allowed and made possible, as well as to provide for governmental supervision.
Regulations are promulgated at a lower level. Usually, ministries or other designated
governmental bodies are competent to prepare and edict regulations; at that level, it is easier to
amend an existing regulation or to promulgate a new one: this is the flexibility factor needed
to keep pace with the development of new knowledge and the feedback of experience. Some
administrative regulations are necessary to establish the rules for the licensing process.
Should a regulatory body feel the need to influence the proposals and the choice made
by applicants and to produce some guidance, the intermediate stage of guides (they are not
mandatory) is usually useful, because it would still be easy to accommodate other technical
solutions, should they be better or more suitable from the applicant viewpoint than those
suggested in the guidelines as well as, of course, acceptable for the regulatory body.
The objective of the legal system is double: To allow the performance of activities
within an acceptable frame and to ensure that these activities are conducted in such a way as
to avoid unacceptable consequences.
31
1.3.3.2. Law and lower tier legislation
The law should be short and very general in order to cover many situations, particularly
situations which are not yet actual or even not yet known, without modification of the law. It
should establish the general frame in which a set of activities is allowed and made possible as
well as to be supervised. It should also give the power to the government to enact further and
more detailed lower tier legislation (ordinances, governmental decrees, etc.) as well as to other
governmental bodies (especially to the regulatory body for nuclear safety) the competency to
promulgate relevant and specific regulations. For the states having the level of lower tier
legislation in the competency of the government, it will be necessary to decide whether and
which regulatory requirements should be introduced in this legislation or, alternatively, should
be expressed as regulations enacted by the regulatory body.
1.3.3.3. Regulations and guides — their nature and number
The difference between regulations and guides is clear and concerns above all the form
given to such regulatory documents, not their content: by definition, regulations are mandatory
and guides are non-mandatory. The development of regulatory tools leads to two categories of
regulations and guides: administrative (e.g. defining procedures for conducting the licensing
process in an orderly manner) and technical, e.g. setting particular principles, requirements or
provisions which applicants have to satisfy (regulations) or suggesting ways of attaining the
safety objectives (guides).
For dealing with administrative (or managerial) aspects of the licensing process, a
regulatory body will have to develop regulations rather than guides for obvious reasons: such
regulations will set the rules of procedure and they have to be applied by all those concerned;
they have therefore to be mandatory. Such administrative regulations would deal with subjects
such as: statute and organization of the regulatory body, rules of the licensing process, formal
duties of the applicant(s), financial aspects, etc. They are necessary at an early stage of the
licensing process, before the first application is introduced because they give the rules of
engagement and they make it easier for the regulatory body to manage the licensing process;
the applicant(s) should know and follow them from the beginning.
Concerning the technical level, both categories, regulations and guides, have to be
considered; being based on the overall safety objectives, they will prescribe (regulations) or
suggest (guides) ways or elements such as derived safety objectives, derived principles to be
used in design or operation, requirements and criteria, relation to industrial codes and
standards, etc. necessary or appropriate to satisfy these objectives.
1.3.3.4. The legal pyramid
The legal system of a country may comprise all or most of the following elements
which, by their nature, appear at an appropriate level in the hierarchy of legal documents:
act(s), lower tier legislation (e.g. ordinances, decrees), regulations, guides, international and
industrial standards.
A graphical presentation of these elements can show their level in the legal hierarchy
and indicate their number. The box on the top will contain acts. Underneath, there will be the
larger box containing all lower tier legislation (ordinances, decrees, etc.). Further down, we
have the still larger boxes for the many regulations and below that box there is a box
32
containing regulatory guides. At the bottom there is the largest box containing international
and industrial standards. It is obvious that this pile of boxes of increasing size with the largest
at the bottom and the smallest at the top takes the form of a pyramid, thus the name of “legal
pyramid”. The graphical presentation of legal elements has been used quite frequently and two
examples are given in Figures 3 and 5.
1.3.4. National and international institutions for matters of standardization
In addition to the IAEA Safety Standards a lot of international and national institutions
create technical standards. Examples of such institutions are the International Organization for
Standardization (ISO) or the International Electrotechnical Commission (IEC).
The co-operation between the IAEA and some important international institutions is
well — regulated, for instance in the “Memorandum of Understanding between the IAEA and
the ISO”. It reads: “The ISO recognises the responsibilities of the IAEA ... in particular with
regard to the establishment of standards of safety for the protection of health ... which are
primarily addressed to national regulatory bodies”.
And corresponding: “The IAEA recognises the responsibilities of the ISO as a
specialized international institution for matters of standardization, having as its objectives the
facilitation of international exchange of goods and services...”
In practice this co-operation is managed by “liaisons”. The technical committees of the
standard organization nominate related committees in other organizations and a liaison officer
is delegated to those committees.
Examples for national institutions are the American Nuclear Standards Institute
(ANSI), American Society of Mechanical Engineers (ASME), the German Nuclear Safety
Standards Commission (“Kerntechnischer Ausschuß, KTA”) which is presented in some
detail later, the DIN “Deutsches Institut für Normung e.V.” or the “Association Francaise de
Normalisation AFNOR” in France.
In this way a complete global framework of safety standards and technical
specifications is created by the IAEA and the institutions for matters of standardization.
In each country there are a legal framework and national authorities. The common
features are:
x The existence of a clear statutory and legal framework for nuclear regulation;
x The establishment of the basic industrial, technological, and human resource
infrastructure necessary to ensure nuclear safety;
x An unambiguous recognition that the prime responsibility for the safety of a nuclear
installation rests with the holder of the licence (i.e. the operator of the installation); and
x A national commitment to safety as the fundamental requirement for a nuclear
programme.
Independent of those common features there are differences in the history,
development, current structure and scope of responsibilities of various national nuclear
regulatory bodies. It is therefore the duty of the national nuclear regulatory body to find a
33
specific way to fulfil fundamental safety objectives and to meet technical and policy
challenges on the basis of the national and international safety standards.
1.3.5. Types of regulatory guidance
To establish a clear regulatory guidance the national authority usually uses the whole
spectrum of possibilities that are included in the national pyramid of the legal framework.
That means, in accordance with the hierarchical structure of the IAEA Safety Standards,
consisting of Safety Fundamentals, Safety Requirements and Safety Guides, the authority will
develop ordinances, guidelines or recommendations, depending on the subject which is
treated. These ordinances, guidelines or recommendations usually have different audiences.
They could be mandatory for everyone, they could be mandatory only for the administration or
they could be just recommendations of a group of experts with a non-mandatory nature.
Nevertheless, these recommendations could obtain great practical importance, as the licensing
authorities usually demand the proof of their fulfilment within the scope of the safety
assessment.
These different documents are established in different procedures. They could be
enacted by the government, promulgated by the authority or just published by the authority.
Depending on the kind of document the preparation takes place with or without the
participation of the public.
Safety standards and the way in which those are treated are part of the safety culture of
a country. The approaches vary, but three general types of regulatory guidance can be
observed. They are described in an IAEA Bulletin [1]:
“Compliance-based” regulation. This approach typically involves the regulator
providing prescriptive standards and requirements — the same for every plant — for operators
to follow. In this regime, inspection and enforcement are largely a matter of verifying
compliance with these rules and penalising non-compliance. The KTA safety standards are an
example of this type. They are presented in detail in 1.4.2.3.
“Performance-based” regulation. In this approach, licensees are required to comply
with safety objectives, but have some flexibility to decide how they achieve that. Safety
performance indicators are used by the regulator to observe trends in safety, and inspection
activities focus on these indicators. A difficulty with this approach, however, is that the
indicators used can be manipulated (i.e. efforts may be devoted to improving the indicators,
rather than improving safety itself). Furthermore, it is difficult to find safety performance
indicators that are predictive — i.e. that can be used to identify potential problems before they
develop into real ones — and therefore this approach remains essentially reactive. As an
example, one consequence of improving safety culture may be an increase in the number of
safety related “events“ or problems reported, as the result of better reporting by staff. It is
important that regulators (as well as managers) are able to distinguish a positive trend of this
type from a negative one in which more problems are occurring because of deteriorating
safety performance. This requires a more sophisticated approach to inspection than simple
“incident counting”, and more positive safety indicators may be of value.
An example of this type is the NRC maintenance rule. The US Nuclear Regulatory
Commission has begun a transition from the prescriptive regulations of the past to a more risk
and performance based approach which takes into consideration risk and plant performance.
34
10 CFR 50.65, requirements for monitoring the effectiveness of maintenance at nuclear power
plants” is an example of a performance based rule that mandates consideration of risk and
plant performance. This type of regulation gives each licencee the flexibility to determine the
most efficient and effective way to meet the requirements. The increased use of risk and
performance based regulation is made feasible by the continuing refinements in methods for
analysing and quantifying risk through the use of PSA and improvements in the evaluation
and analysis of plant and equipment performance data through licensee programmes such as
nuclear plant reliability data system (NPRDS), plant performance indicators, and those
mandated by the maintenance rule.
An example for the formal establishment of a reporting system is the German “Nuclear
Safety Officer and reporting ordinance” or the Finnish guide YVL 1.5 “reporting nuclear
power plant operation to the Institute of Radiation Protection”.
Process-based regulation (or integral supervision of nuclear power plants). This
approach takes specific account of the fact that the safe operation of nuclear facilities depends
on the effectiveness of the organizational processes established to operate, maintain, modify,
and improve a facility. Briefly put, the process approach focuses on the organizational systems
that the facility has developed to assure the ongoing safe operation from the perspective of the
facility’s internal logic. It recognises that the design of organizational processes must remain
flexible in order to allow the facility to create processes that are internally consistent, adapted
to their history, culture and business strategy, and that allocate resources in the most rational
way. A process based approach attempts to allow this flexibility while forcing the facility to
think very carefully about the logic of their processes. It demonstrates to the regulator that
they have taken a very rigorous approach to the design, implementation, and ongoing
evaluation of their key processes and that they are alert to opportunities to improve their
systems.
A combination of the above three approaches can be used, since they are not mutually
exclusive.
An example of this kind of regulation is the new KTA working programme “KTA
2000”. In this new programme all German requirements concerning nuclear safety are
classified in three levels, similar to the structure of the new IAEA Safety Standards series.
Notwithstanding the paramount importance of regulations and standards, they need to
be implemented on the management and working level within an integrated approach to
national and international “safety culture”.
1.3.6. Safety criteria for nuclear power plants
Safety criteria are a means to help implementing safety principles and requirements.
Safety criteria indicate the way (or one of the ways) to satisfy a principle or a requirement.
Nature of safety criteria may be technical, administrative, organizational, etc. and it can be
qualitative or quantitative. It can be relevant to engineering, to radiological protection, to manmachine-interface (human factors), or to physical protection, etc.
Safety criteria may be established either by the regulatory body or by the
applicant/licensee:
35
x In the non-prescriptive approach, the applicant/licensee proposes a set of safety criteria by
defining them and using them in its application; these safety criteria are eventually
approved, modified or rejected by the regulatory body after review and assessment;
x In the prescriptive approach, safety criteria are established by the regulatory body; they
can be established as regulations (they are then mandatory) or as guidelines (they indicate
in this case how the regulatory body intends to conduct the review and assessment
process); they have to be available early enough in order to be considered by the
applicant/licensee and its suppliers in preparing the application.
The regulatory body is responsible for ensuring that an adequate and complete set of
safety criteria is available and that each applicable criterion is or will be satisfied. Safety
criteria are necessary for, and applied during, each phase of the licensing process, namely:
siting, design, construction, operation, decommissioning as appropriate. Safety criteria should
not only be compatible with, but should express the way to implement internationally agreed
basic safety objectives and their supporting fundamental safety principles.
A systematic approach to establishing a coherent set of safety criteria may be to
consider all fundamental safety principles enunciated in safety fundamentals [8] as presented
in 1.1.5.2 or the derived principles presented by INSAG [7] (basic safety principles, namely:
3 fundamental management principles, 3 defence in depth principles, 6 general technical
principles, 50 specific principles).
Another approach may be based on the set of safety criteria in force in the country of
origin of the reactor and on a complementary check against the above mentioned safety
principles. Each principle or, respectively, each requirement is the source of at least one
criterion, but mostly of several complementary safety criteria, usually to be considered at the
different stages of the licensing process (siting, design, construction, commissioning,
operation, decommissioning).
1.3.6.1. Examples of safety criteria
The siting and design requirements are presented by the IAEA in its requirements
documents on siting and design [3, 5]. The most well known national example of safety
criteria is given by the US NRC in the Code of Federal Regulation (CFR), in particular in title
10 “Atomic Energy”, Part 50 “licensing of production and utilisation facilities” with its
Appendix A “general design criteria for nuclear power plants” (64 criteria). Another, more
recent example is the decision of the council of state of Finland on the general regulations for
the safety of nuclear power plants (1991), (27 sections containing criteria).
In Germany details concerning the legal provisions set out in the Atomic Energy Act
and the Radiation Protection Ordinance are given by the safety criteria. They contain the
safety principles to be applied during design, construction and operation of NPPs in order to
ensure that the provisions against damage are taken in accordance with the present state of
science and technology. The safety criteria consist of 11 paragraphs containing 33 criteria.
Examples of the subjects covered are: testability, exposure of the environment to radiation,
effects of load combinations due to external events; protection against fire and explosions;
residual heat removal after loss of coolant; external hazards; heat removal from the
containment, single failure criteria and its application etc.
36
In Switzerland the overall safety objectives are formulated in an indirect way in the
Atomic Energy Act. There are only very few technical requirements in regulations. But the
Swiss Safety Authority (HSK) makes use of regulations and guidelines from the countries of
origin of the reactors (USA and Germany). The Inspectorate will develop its own guidelines
only if it has a different opinion on specific aspects or if it will apply more stringent
requirements than those in force in the country of origin. Translated extract from the Atomic
Energy Act (1959) states: The application for construction, operation or modification of a
nuclear installation shall be supported by a detailed technical report (safety analysis report).
The licensing authority shall obtain an (independent) expert's opinion (safety evaluation
report) showing, in particular, whether the project includes all measures that can be reasonably
required for the protection of individuals, of third party property or of important rights. A
summary of safety objectives is given in the Booklet presenting the HSK: “Nuclear
installations must be constructed and operated such that the safety of the operating personnel,
the general public and the environment is maintained.”
1.4. ILLUSTRATION THROUGH NATIONAL EXAMPLES [15]
1.4.1. Finland
1.4.1.1. Governmental organization
Nuclear Energy and Radiation Protection Acts and Decrees define the regulatory
framework in Finland. General safety requirements are given by decisions by the state council
(i.e. cabinet of ministers). Responsibility on nuclear safety rests on the licensee. The
governmental is presented in Fig. 3. Radiation and Nuclear Safety Authority — STUK is an
independent regulatory organization for regulating and reviewing nuclear and radiation safety.
Administratively (e.g. concerning budget matters) STUK is under the Ministry of Social
Affairs and Health. Licence applications for nuclear facilities are handled by the Ministry of
Trade and Industry. STUK gives its statement on the safety of nuclear facilities when
licensing is concerned.
MINISTRY OF SOCIAL
AFFAIRS AND HEALTH
- administrative authority
for the use of radiation
STUK - RADIATION
AND NUCLEAR
SAFETY AUTHORITY
- independent regulatory and
research organisation
MINISTRY OF TRADE
AND INDUSTRY
- administrative authority for
the use of nuclear energy
MINISTRY OF THE
INTERIOR
- protection of the general
public in emergency conditions
MINISTRY OF
FOREIGN AFFAIRS
- nuclear safety in regions
surrounding Finland
Ministry of Environment
Ministry of Defence
Ministry of Transport
Ministry of Agriculture
Finnish Meteorological
Institute
Customs Authority
National Food
Administration
FIG. 3. Finland — governmental organization.
37
1.4.1.2. Hierarchy and development of regulatory guidance in Finland
Hierarchical levels of guidance
In Finland the relevant legislation is the Nuclear Energy Act and Decree, the Radiation
Act and Decree and the Nuclear Liability Act, as well as the Act and Decree on STUK. These
acts and decrees define the regulatory framework in Finland. (See Fig. 4). Typically the
following topics are presented in the Nuclear Energy Act: general principles, overall good of
society, safety, nuclear materials, waste management, physical protection, explosives,
licensing, supervisory authority, sanctioning etc.
In Finland the council of state gives general regulations concerning safety, security and
emergency preparedness. These regulations are mandatory. It is STUK’s responsibility to
prepare these regulations, except for the regulation concerning public rescue services, which
are prepared by the Ministry of the Interior. So far, following general regulations exist:
x The decision of the Council of State on the general regulations for the safety of nuclear
power plants (395/1991);
x The decision of the Council of State on the general regulations for the safety of a disposal
facility for reactor waste (398/1991);
x The decision of the Council of State on the general regulations for the physical protection
of nuclear power plants (396/1991);
x The decision of the Council of State on the general regulations for the emergency response
arrangements at nuclear power plants (397/1991).
Acts,
Decrees
Decisions by the Council
of State
YVL-Guides
Industrial and International Standards etc as basis
for applications (IAEA, ASME, ANSI, KTA, DIN etc)
FIG. 4. Hierarchy of regulations and standards in Finland.
Detailed regulations and regulatory guides (YVL guides) are issued by STUK. The
Nuclear Energy Act gives a mandate to STUK to issue detailed technical and administrative
guidance. YVL guides now include about 65 guides in the following eight series:
x General guides;
x Systems;
38
x
x
x
x
x
x
Pressure vessels;
Civil engineering;
Equipment and components;
Nuclear materials;
Radiation protection;
Radioactive waste management.
The list of YVL guides is presented in Appendix V. More than 30 guides have been
revised in the period 1992–1997. The guides are also translated into English. These guides are
rules, which the licensee shall comply with, unless STUK has been presented with another
acceptable procedure or solution by which the safety level laid down in the YVL guides is
achieved. The actual YVL guides are available in English through Internet at the site
www.stuk.fi/english/publications.
Developing regulatory (YVL) guides
Through YVL guides, STUK shows the utilities the required safety level and the
regulatory body’s supervision and inspection practices. Issues handled in the YVL guides
therefore cover plant design and operation as well as regulatory control and inspection related
topics. YVL guides give design criteria for systems, components and structures of NPP (e.g.
YVL 1.0, YVL 2.1, YVL 2.7, YVL 3.1, YVL 4.1, YVL 5.5). They give guidance on accident
analysis, PSA and respective design criteria (e.g. YVL 2.2, YVL 2.8). They provide guidance
on administrative and organizational issues like QA, document control, training and
qualification, safety committee practices (e.g. YVL 1.4, YVL 1.9, YVL 1.7, YVL 1.6). They
give guidance on commissioning, testing, operation of NPP´s, event investigation, reporting to
the STUK (e.g. YVL 2.5, YVL 1.5, YVL 1.11). They give guidance on plant modifications,
repair work, maintenance, in-service inspection, outage control (e.g. YVL 1.8, YVL 1.13,
YVL 3.8). They provide guidance on radiation protection, physical protection and waste
management (e.g. YVL 7.1, YVL 8.1). With such guidance there will be no surprises to the
utilities if new NPPs or plant modifications are planned or if operational practices are
changed.
The development of YVL guides contains the following phases. The decision is made
that a new guide is needed, a working group is formed, and a schedule agreed. The outcome is
draft 1, prepared by the working group. IAEA Safety Standards are taken into account when
Finnish regulatory guides are written. Draft 1 is then sent for internal comments within STUK,
and the outcome is draft 2. This is then sent for external comments to power companies, etc.
and the outcome is draft 3. This is presented to the STUK nuclear safety department
management meeting for approval, and the final draft 4 is sent for comment to the Nuclear
Safety Advisory Board. After considering their comments the guide is brought into force by
the Director General of STUK.
Internal regulatory guidance (STUK)
STUK’s administrative and YTV quality manual defines working practices inside the
regulatory body. The emergency plan for STUK defines tasks and working procedures for all
departments concerning accident situations. YTV guides prepared by the nuclear reactor
regulation department and collected into the YTV quality manual define working and
inspection practices in the supervision of NPPs. General inspection procedures prepared for
39
the periodic inspections are included in the YTV quality manual and detailed procedures for
each inspection are collected in a specific folder. Responsibility for the upkeep of the
inspection procedure lies with the inspector who has the main responsibility for the inspection
in question.
Example of guidance (criteria for assessment during licensing phase)
The Nuclear Energy Act and Decree define the necessary steps, e.g. stages of licensing
process of nuclear facilities (decision in principle, construction permit, operating licence) and
licensing documents. General design criteria for the NPP are given in the decision of the
council of state. YVL guide 1.1 [16] defines the regulatory body’s role in licensing and
commissioning. Detailed guidance for safety review and commissioning is given in YVL
guides.
General design criteria define the safety level and form a basis for safety assessment
review reports. YVL 1.1 provides administrative details; the what, when and how for the
regulatory body and for the utility. YVL guides 2.2, 6.2, 7.1 and 2.8 give criteria for accident
analysis and PSA. YVL 1.0 covers plant design. YVL 2.1 covers safety classification. YVL
2.7 covers failure criteria. YVL 1.4 covers QA. YVL 2.5 covers pre-operational and start-up
testing of NPP.
YVL guides 3.0–3.9 handle pressure vessels. YVL guides 4.1–4.3 handle concrete and
steel structures. YVL guides 5.3–5.8 handle other equipment like valves, pumps, automation,
ventilation, etc. YVL guides 7.1–7.18 handle radiation protection and emergency planning and
preparedness. YVL guides, group 6 covers nuclear materials. YVL guides, group 8 covers
nuclear waste management.
International standards provide background information on recommended practices
such as the IAEA Safety Standards series. ASME, ANSI, USNRC regulatory guides, etc.
provide one good national example. US NRC standard format for PSAR/FSAR and standard
review plans provide a model for the assessment of safety reports.
1.4.2. Germany
1.4.2.1. Governmental organization
As indicated by its name, Germany is a Federal state. The Federal Constitution
therefore contains detailed provisions on the legislative and administrative competencies of
the Federation (Bund) and the individual states (Länder). Pursuant to the Federal Act of 1959
on the Peaceful Uses of Atomic Energy and Protection Against Hazards (Atomic Energy Act)
the supreme authorities of the Länder, designated by their governments, are competent for the
granting, withdrawal and revocation of licences for nuclear installations.
The Atomic Energy Act empowers the Bund to issue ordinances and general
administrative regulations that are mainly implemented by the Länder acting on behalf of the
Federation. The federal control and supervision relate to the legality and expediency of the
implementation of the Atomic Energy Act by the Länder. The competent authorities of the
Länder are subject to the directives of the competent supreme federal authority, in this case,
the Federal Ministry for the Environment, Nature Conservation and Nuclear Safety (BMU).
The governmental organization is presented in Fig. 5.
40
1.4.2.2. Application of safety legislation: licensing prerequisites in Germany [17]
According to German law, nuclear facilities may not be built and put in operation
before a state licence has been granted. The purpose of this governmental control is to achieve
the best protection possible against the dangers of nuclear energy. The safety philosophies
presume that a nuclear facility represents a man-machine-system. For this reason, the German
Atomic Energy Act stipulates that both facility and personnel must meet stringent
requirements. The applicant has to fulfil the following licensing prerequisites in order to
obtain a licence:
x Personal licensing prerequisites: the applicant and the management personnel have to be
reliable, and the operating personnel have to have sufficient technical knowledge;
x Licensing prerequisites related to the facility: the facility has to be designed in such a way
that necessary provisions against damage due to the construction and operation have been
made in accordance with state-of-the-art science and technology, sufficient protection
against sabotage from outside has to be guaranteed, the location has to be chosen in
keeping with ecological standards, and there needs to be sufficient provision to meet any
legal liability for damages.
Federal Ministry for the Environment,
Nature Conservation and Nuclear safety
(BMU)
Advisory Committees:
Reactor Safety Commission (RSK)
Comm. of Radiological Protection
Further Federal Ministries
Expert Organisations:
GRS
Federal Office for Radiation Protection
Länder Ministry in Charge of Licensing,
Supervision and Inspection of Nuclear Installations
Further State and
Local Authorities
General Public
Expert Organisations:
Technical Inspection Agencies (TÜV)
Experts on Non-Nuclear Issues
Applicant / Licensee
FIG. 5. Germany — governmental organization.
41
Reliability of applicant and personnel
The applicant and management staff have to be especially reliable. The plant manager,
department or sub-department heads, the responsible shift personnel (shift supervisor and
deputy shift supervisor) as well as reactor operators and radiological protection officers a part
of the management staff have to ensure they manage the hazardous technology with diligence
and in a fail-safe manner. The examination of reliability requires an overall assessment of the
person in question which also takes into account his/her general behaviour. The examination
of reliability also includes evaluation of the physical and psychological aptitude for special
activities, besides personal integrity. Before being employed at a nuclear power plant, the
personnel will be subject to a security clearance.
Technical qualification of personnel
The second licensing prerequisite related to personnel concerns the proof of technical
knowledge. The management personnel have to furnish proof of special technical knowledge
and other operations personnel have to furnish proof of adequate knowledge of safe plant
operation and of the possible dangers and the protective measures to be applied.
Prevention of damage
The most important licensing prerequisite concerns the plant itself. It stipulates that
precautions are taken against damage resulting from construction and operation of the plant
according to state-of-the-art science and technology. This means that the plant design has to
correspond to the latest developments in both science and technology in order to practically
eliminate damages. During examination of the damage prevention measures for their
correspondence to the latest scientific developments, the licensing authority may not rely on
the prevailing scientific opinion, but has to consider all demonstrable scientific findings. If the
required precautions corresponding to the most recent scientific knowledge cannot be taken,
the licence must not be granted. In addition, the topics of defence in depth-concept are
mentioned as design prerequisites (see Section 3).
Sabotage protection
Further to the main plant-related licensing prerequisite, which is accident prevention,
the applicant has to furnish proof of protection against interference and other impacts by third
parties. This means, above all, protection against acts of sabotage.
Ecology
The applicant has to demonstrate that the choice of plant location does not conflict
with public interests, especially with regard to environmental impact. Before a licence is
granted, thorough examination has to be made to answer whether or not another location is to
be preferred because of ecological aspects. For this purpose account must be taken of the
impact of the plant on the environment, in particular on the ground water, climate and air, but
also on soil, animals and plants, nature and landscape as well as on cultural and material
goods. In addition to these environmental goods, contingencies, such as flood, earthquake etc.
have to be considered when choosing the location of the plant.
42
Financial security
The applicant also has to demonstrate that he is provided with the required financial
coverage to meet the legal liability for damages. This provision has to be made in case third
persons are harmed by an accident at the plant despite the safety measures taken. In this case,
the operator will be held liable for the total damage without limitation. For this purpose, the
operator has to furnish proof of the so-called financial security to meet legal liabilities. The
authority stipulates the manner and extent to which security has to be provided. In most cases,
the proof will be furnished by a third party insurance which pays the damages for which the
operator is responsible. Currently, the total of financial security e.g. for a nuclear power plant
is 500 million DM. If this amount should be exceeded in the event of an accident the state is
obliged to indemnify the operator against liability up to 1 billion DM. Beyond this amount, the
operator is held liable to the extent of his property.
1.4.2.3. The German KTA nuclear safety standards
The German Nuclear Safety Standards are an integral part of the well known pyramid
formed by laws, ordinances, guides, standards and codes (Fig. 6). The author of the Atomic
Energy Act and the Ordinances is the legislative power, which is the parliament and the Upper
House of the Federal Parliament (Bundestag, Bundesrat). The author of the German Nuclear
Safety Standards (KTA standards) is the Nuclear Safety Standards Commission (KTA). The
Nuclear Safety Standards Commission (KTA) was established in 1972 and to date 86 Nuclear
Safety Standards have been issued.
Atomic Energy
Act
Ordinances
Safety Criteria and Safety Standards
(KTA-Standards, Regulatory Guides and
RSK-Guidelines)
Technical Standards
(DIN-Standards)
FIG. 6 . Hierarchy of regulations and standards in Germany.
KTA consists of 50 members representing the German nuclear community, i.e. in five
groups of ten members each, the manufacturers, the utilities, the atomic licensing and
supervisory authorities, the safety reviewing organizations and another group of miscellaneous
(nuclear) interests.
The KTA’s objective is to establish safety standards for all kinds of nuclear facilities,
primarily, however, for nuclear power plants. These safety standards reflect the common
43
opinion of the five groups and are based on actual experience gained during the licensing,
construction and operation of nuclear facilities.
Managed by a board with one member from each of the first four above mentioned
groups, the KTA decides in which fields safety standards are to be established. KTA-accepted
drafts of these standards are published and, at the end of a three-month period, reviewed
taking into consideration comments from the public. Final standards are then made public by
the German Federal Ministry for the Environment, Nature Protection and Nuclear Safety
(Bundesministerium für UMW(e)lt, Naturschutz und Reaktorsicherheit) and are thus put into
effect.
After a maximum of five years, an issued nuclear safety standard is reviewed to see if it
still represents modern practice or if modification proceedings have to be started for this
nuclear safety standard.
Day-to-day business of the KTA is carried out by the KTA-secretariat. The head
secretary of the KTA-secretariat is directly responsible to the board of the KTA.
Nuclear safety standards are prepared by KTA-subcommittees as well as by specially
appointed groups of experts, utilizing all national and international efforts of standards
organizations involved in the field of nuclear technology. All work is carried out under the
close supervision of the KTA-secretariat.
This kind of organization reflects an old German tradition. It is the idea of cooperation
between the governmental authorities and the private industry, all being equally entitled, at
least at the level of safety standards. The advantage of such a structure is the high expertise of
its members. A disadvantage is a certain heaviness in the decision process.
1.4.2.4. Qualification requirements of German NPP personnel
Legal requirements
The German Atomic Energy Act states that a licence to operate a nuclear installation
may be granted only if — among other prerequisites — the subsequent requirements are met
for the responsible and for subordinate operating personnel category:
x No facts shall be known that give rise to any doubt as to the reliability of the personnel
responsible for the management and control of operation of the installation (responsible
operating personnel), and these personnel shall have the requisite competence.
x It is ensured that the persons who are otherwise engaged in the operation of the installation
(subordinate operating personnel) have the necessary knowledge concerning safe operation
of the installation, the possible hazards, and the safety measures to be applied.
The following functions are carried out by the responsible operating personnel: station
superintendents, nuclear safety commissioners, radiation protection commissioners, operation
superintendents, maintenance superintendents, technical superintendents, training officers,
physical protection commissioners, shift supervisors, control room operators and their
respective alternates. For these personnel the legal qualification requirements cover reliability
and requisite competence. The subordinate operating personnel category comprises all
44
personnel engaged in operation who are not included among the aforementioned responsible
personnel. For these personnel only a clearly defined amount of necessary knowledge
concerning plant safety and safety of the personnel, related to their respective tasks and
working places, is required.
Guidelines regarding qualification requirements
The licensing requirements of the Atomic Energy Act concerning the qualification of
personnel have been further specified for nuclear power plants in guidelines:
x Guideline for the proof of the requisite competence of personnel at nuclear power plants;
x Guideline for the content of the examination of the technical qualification of responsible
shift personnel at nuclear power plants;
x Guideline for programmes for the preservation of the technical qualification of responsible
shift personnel at nuclear power plants;
x Guideline for the ensurance of the necessary knowledge of subordinate operating
personnel;
x Guideline for the technical radiation protection commissioners at nuclear power plants and
other facilities for fission of nuclear fuel;
x Guideline on requirements regarding the physical protection commissioners and security
guards at nuclear facilities of category I;
x Guideline for the security screening for trustworthiness of personnel at nuclear
installations, during the transport and use of nuclear material and high-level radiation
sources.
Responsible operating personnel
The verification of the requisite competence of the responsible operating personnel is
mainly based upon performance evaluation rather than upon special examinations. The
documentation of each responsible operating personnel shall proof, that the respective
employee has:
x A basic professional qualification;
x The requisite safety-related knowledge;
x The ability to specify, initiate and carry out all measures and actions necessary for the safe
operation of the plant;
x A minimum practical experience (between 6 months and 3 years);
x Special nuclear, plant-specific lectures and in-plant technical training;
x Full-scope simulator training (8 weeks for PWR, 7 weeks for BWR);
x Successful completion of a written and oral examination;
x Special didactic training for training officers.
45
Most of the safety-related nuclear fundamentals are taught to shift supervisors and
control room operator candidates in special courses at nuclear training centres which
administer final exams. All training centres have adopted a model-catalogue of about 2000
questions and sample answers for the written exams. The oral exam, administered by a special
board of examiners has to be taken individually.
Shift supervisors, their alternates and control operators have to take a written and an
oral examination at their respective plant. The examination is held by a board of examiners
which consists of three members of the responsible operating personnel category of the plant,
two outside experts under contract of the authority, and one representative of the competent
authority.
No examination is required at a simulator. However, the simulator training personnel
have to evaluate, to document and to testify to the training success for each trainee, including
a compilation of possible weakness or deficiencies in knowledge and ability. A responsible
representative of the respective nuclear power plant, to which the shift operating crew being
trained belongs, will accompany the shift crew and will closely observe his personnel and
their training results.
Requalification requirements
The licensing requirement concerning the competence of responsible operation
personnel implies the obligation of the licensee to keep the competence of his employees at
the level defined by the current state of science and technology throughout their working life.
The licencee has to provide for regular retraining activities, for instance in-plant lectures,
external training courses, simulator training (up to 20 days within 3 years). The success of the
retraining activities shall be monitored and documented by the plant management, and has to
be demonstrated to the competent authority upon request. For extended plant outages the
requalification programmes have to be intensified and modified, taking into account the
current plant state and the activities which could not be carried out because of the plant
outage.
Reliability requirements
The Atomic Energy Act requires that no known facts shall give rise to any doubt as to
the reliability of the responsible operating personnel and this personnel have been security
screened for trustworthiness. The security screening procedure is repeated every five years for
all personnel.
Requirements regarding the qualification of subordinate operating personnel
For subordinate operations personnel (all personnel not belonging to the responsible
operating personnel category) only the necessary knowledge concerning safe operation of the
plant, possible hazards, and safety measures to be applied is required by law. This necessary
knowledge depends upon the characteristic of the plant and the respective function or
responsibility of the personnel, and on the number of other subordinate personnel supervised.
The specification of the necessary knowledge is complicated by the fact that subordinate
personnel from one day to the next may be assigned to tasks with different nuclear safety
implications, under different working conditions and during major inspections even together
with hundreds of off-site personnel who do not know the plant well. Therefore, for
46
subordinate personnel the necessary knowledge has to be specified in a flexible way in order
to allow for adaptation to various parameters. The following requirements concerning the
insurance of the necessary knowledge have been specified:
x All subordinate operating personnel shall receive instructions covering safety-related
knowledge and its application to their everyday work;
x They shall receive a special briefing at the respective working place prior to the
commencement of work;
x They shall have professional qualification and practical experience.
For all activities that are regularly carried out by subordinate personnel the licensee
shall assign personnel to one of the following categories, according to their level of
responsibility (it is understood that category “A” to “D” personnel in general are executing
instructions given by responsible operating personnel):
A: Personnel who plan activities that may have bearing on the safety of the plant or on its safe
operation, or who co-ordinate the preparation or execution of such activities;
B: Personnel who operate and control important systems like turbine, ventilation systems,
cooling water systems from a central position within the scope of the operating
instructions or the instructions of the shift supervisor;
C: Personnel who execute work or inspections and tests on items important to safety, or who
substantially participate in the preparation or execution of such work;
D: Personnel who execute narrowly defined activities in support of work executed on items
important to safety, or who cannot affect the safety of the plant or of its operation because
of the type of and the restrictions on their respective tasks.
The minimum training shall take at least two hours and be repeated every year; it is
meant for subordinate personnel of category “D”. The maximum training for subordinate
personnel shall take several weeks and be repeated every three years; it is meant for personnel
with supervisory functions and whose working activities may have direct effects on safety,
like personnel of category “A” or “B”. As a last step, the licensee has to specify in a training
programme which set of lists on safety-related knowledge will be the basis for training of a
specific category of subordinate personnel.
All subordinate operating personnel are submitted to a security screening process for
trustworthiness. This security screening is an important precaution against sabotage by
undercover agents. The extent and intensity level on the security screening will depend upon
the plant areas, to which the specified person has access, and upon the ability of that person to
jeopardise plant safety. (off-site) personnel not having undergone this screening process have
to be escorted permanently by personnel having a security clearance.
For off-site personnel the instructions concerning the safety-related knowledge may
cause some problems, especially when such personnel are needed at short notice or when time
is not available for providing these instructions. In these cases, such off-site personnel will
47
only be allowed to start working when they have received a special briefing and when an
experienced permanent supervisor has been assigned to them, who has the necessary safetyrelated knowledge.
Conclusion
The fact that detailed requirements regarding the qualification of operational personnel
have been specified by the licensing authorities does not guarantee this qualification. It is the
licensee’s obligation and his sole responsibility to train his personnel, to keep them optimally
qualified at any time and to adjust this qualification to any change in the state of science and
technology. He is the only one capable of transforming the regulatory requirements into
operation-oriented training objectives which take into account the constraints and needs of the
actual tasks to be accomplished. There should be close communication between the competent
authority and the licensee whenever qualification requirements are to modified, in order not to
destroy the licensee’s motivation to apply them meaningfully. It has to be kept in mind that it
is not only the qualification of the operating personnel which has an important influence on
the human contribution to plant safety. Whether a man will influence the course of any
accident sequence in a positive way or not, will strongly depend on his qualification; his
success will also be determined by the design of the control room, by his working
environment, by the design of working cycles and working aids, and by his motivation. The
objective of all efforts to optimise the contribution of the “human factor” to the safe operation
of nuclear power plants should therefore represent a simultaneous optimisation of all these
influences.
1.4.3. United Kingdom
The main legislation governing the safety, and enforcement of safety, of nuclear
installations is the Nuclear Installations Act 1965 as amended, together with the health and
safety at work, etc. Act 1974 and the Ionising Radiation Regulations 1985. Under the Nuclear
Installations Act no site may be used for the purpose of constructing, commissioning or
operating any nuclear installation unless a licence has been granted by the Health and Safety
Executive (HSE). A nuclear installation is broadly defined as being an installation where
nuclear fuel is manufactured, enriched or reprocessed, where products from irradiated nuclear
fuel are manufactured, or an installation which is a power or research reactor (some defence
related activities are excluded).
Her Majesties Nuclear Safety Directorate (NSD) as part of the HSE is responsible for
enforcing safety and health legislation at any licensed site. A statutory body called the Health
and Safety Commission (HSC) sits between Government and HSE. The aims of HSC and
HSE together are to protect the health, safety and welfare of employees, and to safeguard
others, principally the public, who may be exposed to risks from industrial activity. The
governmental organization is presented in Fig. 7.
Each nuclear site licence has conditions attached that have the force of law and which
place either absolute requirements or require the making of adequate arrangements and
compliance with those arrangements. A fundamental feature of one condition is the
requirement for the licensee to demonstrate the safety of the proposed operation in a document
known as the “safety case”, prior to the start of that operation. Breach of any law, regulation
or licence condition is a criminal offence and the offender may be prosecuted in the United
Kingdom courts of law.
48
In the United Kingdom the NSD formulates the overall safety objective as follows: “The
objective is to secure the maintenance and improvement of standards of safety at civil nuclear
installations and the protection of workers and members of the public”. The modus operandi of the
NSD to satisfy the safety objectives is formulated as follows: “The essential regulatory philosophy
underlying safe nuclear power in the UK is to ensure that the licensee establishes a safe design, and
to monitor it by inspection from manufacture to decommissioning through construction,
commissioning, operation and maintenance in order to ensure that the safe design intent is not
violated either deliberately or unintentionally.” NSD does not issue Standards or Codes of practice
for nuclear power plants. Rather it expects each licence applicant to develop their own design
safety criteria and requirements. These criteria are not formally approved or promulgated as
standards or codes. The form of regulation chosen is non-prescriptive but is one that obliges
licensees to understand the risks associated with their plant. They must propose suitable
arrangements for dealing with those risks, and, once “approved” by the NSD, these
arrangements become legally enforceable constraints on the way in which the licensee may
operate.
Department
Environment, Transport
and the Regions
Environment
Agency
Health & Safety
Commission
Discharge & Disposal
of Radioactive Waste
Health & Safety
Executive
Nuclear Safety
Directorate (NSD)
FIG. 7. United Kingdom — governmental organization.
1.4.4. Governmental organization for nuclear safety in the USA
1.4.4.1. History of nuclear safety regulation in the USA
The history of the US nuclear regulatory system dates from the initial development of
nuclear technology as part of the country’s wartime programme in the mid-1940’s. In its
earliest phase, virtually all nuclear activities were highly confidential and closely controlled
for security reasons. Since that time, the legal and organizational structure for nuclear energy
has expanded to cover a full range of civilian activities in the nuclear field. The following
chronology summarizes some of the key developments in the history of the US system for
nuclear regulation:
49
x 1946. A new Atomic Energy Act creates the Atomic Energy Commission (AEC) to
exercise civilian control over nuclear energy development and regulation. Under the 1946
Act, nuclear technology begins to become more public and open.
x 1953. On December 8, President Eisenhower delivers an important address to the United
Nations General Assembly entitled “Atomic Power for Peace”. The speech launches the
worldwide “Atoms for Peace” programme that not only gave impetus to the civilian
nuclear programme in the USA, but also supported the transfer of nuclear technology to
other nations.
x 1954. A substantially revised Atomic Energy Act authorizes the transfer of a broad range of
nuclear technology from the governmental sector to private industry and establishes a
regulatory framework for such activities within the Atomic Energy Commission.
x 1957. Congress enacts the Price-Anderson Act, which adopts limits on liability and a
system of compensation for damage from nuclear accidents, a measure that significantly
encourages the wider development of nuclear power.
x 1961. The US Supreme Court issues its decision in the important Power Reactor
Development Company case, the first major legal challenge to licensing of nuclear power
plants in the USA. The Court affirms the AEC’s two-step licensing process (construction
permit/operating license) and holds that judicial review of regulatory decisions will to
extend to AEC technical safety judgements.
x 1969. Congress enacts the National Environmental Policy Act (NEPA), that requires
preparation of an environmental impact statements (EIS) for all major federal projects.
Reactor construction is considered a major federal project it must receive a permit and
license from the US regulatory body (at that time, the AEC).
x 1974. In a major organizational reform, Congress adopts the Energy Reorganization Act
that abolishes the AEC and creates two new bodies. The US Nuclear Regulatory
Commission (NRC) is established as an independent agency to regulate nuclear energy.
The Energy Research and Development Agency (ERDA) — later the Department of
Energy (DOE) — is given responsibility for development and promotion of nuclear energy.
1.4.4.2. Basic character of the US system of nuclear regulation
Having summarized the history of the US nuclear regulatory system, some consideration
should be given to the reasons why it is structured as it is. Many factors are relevant in
determining the legal and institutional framework for nuclear regulation in any country. The
following factors seem particularly relevant to the US approach.
The US civil nuclear power programme is quite large, with over 100 operating reactors
at over 60 sites. Supervision of such a programme obviously requires a proportionately large
regulatory body. The US programme is technologically diverse. Four reactor vendors have
utilized some 80 designs based on pressured-water reactor (PWR) and boiling-water reactor
(BWR) technology. Unlike a programme that utilizes a standardized design, a diverse system
requires the regulatory body to maintain a larger cadre of technically trained personnel in a
variety of fields.
50
The US programme also involves a diversity of operating organizations. Until recent
reorganization and consolidation of the electric utility industry, some 45 separate companies
were operating nuclear power plants in geographically dispersed locations. Such a programme
requires a regulatory system that is organized to monitor nuclear safety on a regional and sitespecific basis.
The US legal system, in general, reflects a long tradition of independent regulatory
bodies responsible for assuring health and safety in various areas of industrial and economic
development (e.g. food and drugs, railroads). This provided a clear model for the
organizational structure of a regulatory body in the nuclear field. The US constitutional system
is federal, with the 50 state governments exercising significant powers (e.g. police,
environment, local land use, economic regulation of electric utilities). However, the
US system also provides a dominant role for the federal government in certain areas deemed
essential to national interests. Sometimes called the doctrine of “pre-emption”, the federal role
has been particularly broad in the nuclear area, primarily because of its military origins and
security aspects.
The US has a tradition of active legislative involvement in all areas of public policy.
Congress expects to conduct vigorous oversight of regulatory bodies on a regular basis.
Regulatory officials expect to appear regularly before legislative committees to explain their
activities, as well as to support annual budget requests. Judicial review of the actions of all
government agencies is routine in the USA An independent court system enforces the legal
accountability of regulatory bodies, including those in the nuclear area. Since nuclear energy
is controversial, most significant regulatory decisions are likely to be challenged in court. This
requires that the regulatory body have substantial legal expertise to defend its decisionmaking. In general, US governmental activities are conducted in a very open and transparent
process. Nuclear regulation is no exception in this regard. This openness includes a strong
tradition of public participation in agency decision making, in which so-called “stake-holders”
(i.e. parties with some identifiable interest) have the right to participate in agency proceedings
by submitting oral or written testimony. Openness is assured through a number of laws that
are not particular to the nuclear field, but to all aspects of government. The Freedom of
Information Act, Government in the Sunshine Act and Federal Advisory Committee Act (to
name only a few) include requirements for government transparency.
With regard to the financing of regulatory activities, the USA has moved to a system in
which the regulated industry funds substantially all of the costs of regulation. The US Nuclear
Regulatory Commission is funded by fees assessed against licensees. This represents a change
from the original approach of funding regulation from taxes paid by all citizens. The
arrangement — known as “full cost recovery” — means that persons using nuclear-generated
electricity or nuclear techniques eventually pay the regulatory bill. A more recent factor that is
having a major impact on the US nuclear regulatory system is the process of de-regulation and
reorganization in the nation’s electric utility industry. The impacts of these developments are
diverse and unpredictable. One major effect is a change in the number and even identity of
utilities operating nuclear power reactors. This will require close regulatory oversight to
confirm that new entities have the technical and financial resources to ensure safety. Also, a
more competitive electricity market is creating pressures to reduce the costs of regulation, a
factor that could impact regulatory resources.
51
1.4.4.3. The statutory framework for US nuclear regulation
The US nuclear regulatory system is based on a rather extensive and complicated
framework of laws, some of which are specific to the nuclear field, but many of which apply
to all governmental activities. Table V lists the most important legislative acts that govern the
day-to-day regulation of nuclear safety. The most important of these laws is the atomic energy
act of 1954, which establishes the comprehensive framework for the uses of nuclear energy.
The 1954 act has been regularly updated and amended (almost on an annual basis) for the past
half century. Other laws cover specific subject matter areas in the nuclear field, such as waste
management.
TABLE V. US LEGAL FRAMEWORK FOR NUCLEAR ENERGY REGULATION
Specific nuclear-related laws:
x Atomic Energy Act (1954), as amended;
x Price-Anderson Act (Adopts Limits on Liability and a System of Compensation for Damage from
Nuclear Accidents) (1957);
x Energy Reorganization Act (1974);
x Uranium Mill Tailings Control Act (1978);
x Nuclear Non-Proliferation Act (1978);
x Low-Level Radioactive Waste Policy Act (1980);
x Nuclear Waste Policy Act (1982);
x Low-Level Radioactive Waste Policy Act Amendments (1985);
x Diplomatic Security and Anti-Terrorism Act (1986);
x Nuclear Waste Policy Amendments Act (1987);
x Energy Policy Act (1992);
x Annual NRC Appropriations Acts;
Generally applicable laws:
x
x
x
x
x
National Environmental Policy Act (1969) Requires Impact Statements on Major Projects;
Administrative Procedure Act;
Government in the Sunshine Act;
Freedom of Information Act;
Federal Advisory Committee Act.
A number of laws that are not specific to the nuclear field have an important impact on
nuclear safety regulation. The most important of these general laws is the national
environmental policy act of 1969. This act requires the preparation of environmental impact
statements for major federal actions, which include the construction of power reactors and
development of waste management facilities, among others. Certain procedural acts of general
applicability also determine how nuclear regulatory bodies implement their responsibilities.
For example, the administrative procedure act governs the way all federal agencies conduct
their business, including provisions for how agency decision making must be conducted and
how persons may challenge actions they believe to be improper.
52
1.4.4.4. Nuclear Regulatory Commission — main responsibilities
As stated previously, since 1974 the US governmental body primarily responsible for
regulation the safety of nuclear activities is the independent Nuclear Regulatory Commission.
The NRC has wide-ranging responsibilities covering most aspects of the nuclear fuel cycle.
the following list summarizes some of its main activities:
x Regulation (through standard-setting, licensing, inspection and enforcement) of the design,
construction, operation and de-commissioning of:
Commercial nuclear power reactors.
Research, test and training reactors.
Medical, academic and industrial uses of nuclear materials.
Transport, storage and disposal of nuclear materials and nuclear waste.
x Licensing of reactor operators.
x Conducting research on nuclear safety.
x Providing public information related to nuclear safety.
x Coordinating relationships with state governments regarding nuclear safety. The basic
mechanism for this coordination is through a series of state agreements under which
regulatory authority is exercised by state governments based on an NRC determination that
they are compatible and consistent with NRC regulations.
x Maintaining an Incident Response Center to help manage nuclear events and accidents.
x Cooperating with other national governmental bodies and international organizations on
nuclear safety and radiation protection.
x A more extensive discussion of the detailed structure and activities of the Commission is
set forth in Part 2 — Regulatory Body at section 2.1.2.4 — US Nuclear Regulatory
Commission.
1.4.4.5. Role of other federal agencies and state and local governments
Although the US Nuclear Regulatory Commission exercises the greatest range of
responsibilities for regulating nuclear energy in the USA, other bodies have important roles
that should be briefly mentioned. The most important federal agencies in this regard are the
following:
Department of Energy (DOE): As the Federal agency charged with development and
promotion of nuclear energy, DOE supports a range of activities important to safety. For
example, the department has embarked on a major programme for developing a new
generation of nuclear power reactors that, among other aspects, are intended to have much
greater inherent safety features than current designs. This work is conducted in cooperation
with private industry. DOE also implements an extensive programme of nuclear safety
cooperation with other countries, primarily in Central and Eastern Europe and new
independent states of the former Soviet Union. DOE is also responsible for the safety of
defence-related nuclear activities at its own facilities.
53
Environmental Protection Agency (EPA): EPA has broad responsibilities in the protection of
all aspects of the environment, including water quality, air pollution and toxic wastes.
Although NRC regulates safety at nuclear-related sites, EPA is involved in standard-setting
and regulation of environmental impacts of nuclear activities that may extend beyond a site,
affecting the general population.
Department of Transportation (DOT): DOT regulates transportation of hazardous materials,
including nuclear materials, to ensure safe handling in the movement of such materials in
inter-state commerce.
Department of State (DOS): The State Department coordinates US relations with other nations
and international organizations, including those related to nuclear safety. DOS is typically the
lead federal agency in negotiating international instruments, including those related to nuclear
safety and coordinates with DOE, NRC and other agencies on safety cooperation with foreign
entities.
Department of Defence (DOD): The Defence Department is responsible for the safety of
nuclear materials and activities under its control, including nuclear weapons and nuclearpowered vessels.
Occupational Health and Safety Administration (OSHA): OSHA administers important
regulatory controls over the protection of workers from dangerous occupational hazards to
health and safety.
State and local governments do not have inherent authority to regulate the radiological
aspects of nuclear energy. However, as noted previously, many states exercise regulatory
control over radiation protection under agreements with the Nuclear Regulatory Commission.
States and local governments also have important responsibilities derived from their
fundamental powers over land use planning and economic development. For example, the
government of a state in which a proposed nuclear power plant is to be constructed must issue
certain kinds of permits related to construction. States also exercise economic regulation of
electricity rates, an activity that can impact the resources available to an operating
organization for maintaining and improving safety at its facilities.
2. REGULATORY BODY
2.1. REGULATORY INDEPENDENCE
The importance of regulatory independence is recognized in the Convention on Nuclear Safety
[11] and the IAEA Safety Requirements on legal and governmental infrastructure for safety
(Ref. [2] ). Both documents address the establishment of a regulatory body and the need for its
separation, or independence, from the promoters of nuclear technology. The primary reason
for this separation is to ensure that regulatory judgements can be made, and enforcement
actions taken, without pressure from interests that may conflict with safety. Furthermore, the
credibility of the regulatory body in the eyes of the general public depends in large part upon
whether the regulatory body is regarded as being independent from the organizations it
regulates, as well as independent from government agencies or industry groups that promote
nuclear technologies.
It is recognized that a regulatory body cannot be absolutely independent in all respects from
the rest of government: it must function within a national system of laws and budget
54
constraints, just as other governmental and private organizations do. Nevertheless, it is
important for its credibility and effectiveness that the regulatory body has effective
independence in order to make the necessary decisions with respect to the safety of workers,
the public and the environment.
The need for independence of the regulatory body does not imply that it needs to have an
adversarial relationship with operators or any other stakeholder.
The following paragraphs provide a more detail discussion of a number of elements of
regulatory independence:
Elements Of Regulatory Independence
Political: The political system shall ensure clear and effective separation of responsibilities
(duties) between the regulatory body and organizations responsible for the development of
nuclear technologies. In this regard, it is important to distinguish between independence and
accountability. The regulatory body should not be subject to political influence or pressure in
taking safety decisions. The regulatory body should however be accountable with regard to
fulfilling its mission to protect workers, the public and the environment from undue radiation
hazards. One way of providing this accountability is by establishing a direct reporting line
from the regulatory body to the highest levels of government. In the case where a regulatory
body reports to a government agency that has responsibility for exploiting or promoting
nuclear technologies, there should be channels of reporting to higher authorities to resolve any
conflicts of interest that may arise. This accountability should not interfere with the
independence of the regulatory body in making specific safety decisions with neutrality and
objectivity.
Legislative: In the legislative framework of a national regulatory system (e.g. atomic laws or
decrees) the role, competence and independence of the regulatory body with respect to safety
should be defined. The regulatory body shall have the authority to adopt or develop safety
regulations that implement laws passed by the legislature. The regulatory body shall also have
the authority to take decisions including enforcement actions. There should be a formal
mechanism for appeal against regulatory decisions, with predefined conditions that must be
met for an appeal to be considered. The regulatory body shall have the responsibility for
adopting or developing safety regulations that implement laws passed by the legislature.
Financial: “The regulatory body shall be provided with adequate authority and power, and it
shall be ensured that it has adequate staffing and financial resources to discharge its assigned
responsibilities.” (Ref. [2], Para. 2.2 (4)) While it is recognized that the regulatory body is in
principle subject to the same financial controls as the rest of government, the budget of the
regulatory body should not be subject to review and approval by government agencies
responsible for exploiting or promoting nuclear technologies.
Competence: The regulatory body should have independent technical expertise in the areas
relevant to its safety mission. The management within the regulatory body should therefore
have the responsibility and authority to recruit staff with the skills and technical expertise they
consider necessary to carry out the regulatory functions. In addition the regulatory body should
maintain awareness of the state of the art in safety technology. In order to have access to
outside technical expertise and advice that is independent of operator or industry
funding/support to support its regulatory decisionmaking, “The regulatory body shall have the
authority to obtain such documents and opinions from private or public organizations or
55
persons as may be necessary and appropriate” (Ref. [2], Para.2.6 (10)). In particular, the
regulatory body shall have the ability to set up and fund independent advisory bodies to
provide expert opinion and advice (Ref. [2], Para. 2.4, (9)) and to award contracts for research
and development projects.
Information to the Public: One of the responsibilities of the regulatory body is to provide
information to the public. “The regulatory body shall have the authority to communicate
independently its regulatory requirements, decisions and opinions and their basis to the
public.” (Ref.[2], Para. 2.6, (11)). Since the public will only have confidence in the safe use of
nuclear technology if the regulatory process and decisions are transparent, government should
set up a system to allow independent experts and experts from major stakeholders (for
example, the industry and the workforce and the public) to provide their views. The experts'
findings should be published.
International: “The regulatory body shall have the authority to liaise with regulatory bodies of
other countries and with international organizations to promote co-operation and exchange of
regulatory information.” (Ref.[2], Para. 2.6, (14)).
2.2. ORGANIZATION AND FUNCTIONS OF REGULATORY BODY
2.2.1. IAEA guidance for regulatory organization [2]1
The prime responsibility for safety is assigned to the operator. The primary objective of
the regulatory body is to ensure that the operator fulfils this responsibility to protect human
health, and the environment from possible adverse effects arising from nuclear facilities and
management of radioactive waste. In order to achieve these objectives the regulatory body
defines policies, safety principles and associated criteria as a basis for its regulatory actions.
Table VI presents the main functions of the regulatory body.
In order to discharge its main responsibilities the regulatory body needs to:
x Establish a process for dealing with application, e.g. issuing of an authorization;
x Provide guidance to the operator on developing and presenting safety assessments or any
other required safety related information;
x Ensure that proprietary information is protected;
x Communicate with, and provide information to, other competent governmental bodies,
international organizations and the public;
Ensure that operating experience is appropriately analysed and that lessons to be learned
are disseminated;
x Ensure that appropriate records relating to the safety of facilities and activities are retained
and retrievable;
x Ensure that its regulatory principles and criteria are adequate and valid, and shall take into
consideration internationally endorsed standards and recommendations;
x Advise the government on matters related to the safety of facilities and activities;
x Confirm the competence of personnel responsible for the safe operation of the facility or
activity; and
x Confirm that safety is managed adequately by the operator.
1
INTERNATIONAL ATOMIC ENERGY AGENCY, Organization and Staffing of the Regulatory Body for
Nuclear Facilities, GS-G-1.1 (in press).
56
TABLE VI. FUNCTIONS OF THE REGULATORY BODY [2]
The regulatory body has the following main functions:
x Establishment, promotion or adoption of regulations and guides, upon which its regulatory actions
are based;
x Review and assessment of submissions on safety from the operators both prior to authorization
and periodically during operation as required;
x Issuing, amending, suspending or revoking of authorizations;
x Carrying out regulatory inspections;
x Ensuring corrective actions if unsafe or potentially unsafe conditions are detected;
x Taking the necessary enforcement actions in the event of safety requirements having been
violated.
The regulatory body may also have additional functions such as:
x Carrying out independent radiological monitoring in and around nuclear facilities;
x Carrying out independent testing and quality control measurements;
x Initiating, co-ordinating and monitoring safety research and development in support of the
regulatory functions;
x Providing personnel monitoring services and medical examinations;
x Monitoring of nuclear non-proliferation;
x Regulatory control of industrial safety.
The regulatory body needs to be structured in a manner that ensures that it is capable of
discharging its responsibilities and fulfilling its functions effectively and efficiently. The
organizational structure and size of the regulatory body are influenced by many factors and it
is not appropriate to recommend a single organization model. The regulatory body needs a
structure and size commensurate with the extent and nature of the facilities and activities it
must regulate, and it needs adequate resources to discharge its responsibilities.
The organizational structure of a regulatory body varies from country to country. The
following sections provide general guidance on the organizational structure based on the
functions of the regulatory body. The principal functions to be carried out are: regulations and
guides, authorization, review and assessment, inspection and enforcement. The regulatory
body has also the function in connection with emergency preparedness. For a large
organization it is often useful to have each of these functions assigned to a discrete section or
division within the regulatory body. Each of these functions need many specialized skills.
Rather than having each functional unit containing its own specialists, it is often practical and
efficient to group the specialists in a matrix such that each organizational unit assigned
responsibility for a function can draw on specialist skills as needed.
Development of regulations and guides requires a considerable amount of resources. If
new or revised regulations and guides are required frequently it may be appropriate to have a
permanent unit to deal with this. Where the need for new or revised regulations and guides is
infrequent it may be sufficient to identify a mechanism whereby such resources can be drawn
together when required. Regulations and guidance cannot be produced in isolation but
consultation both within and outside the regulatory body is needed. In developing regulations
and guides, account is taken of international standards and recommendations, obligations
imposed by any conventions to which the state may be party, relevant industrial standards and
any advances in technology.
57
Review and assessment are among the main continuous functions of a regulatory body.
It is therefore appropriate to assign this to a person or organizational unit within the regulatory
body. This function often involves drawing together teams of specialists. Review and
assessment is based on regulations and guides. The review and assessment necessitate
effective communication and interaction between different units of the regulatory body. The
main parameters, characteristics and results are recorded and retained, in written form, for
future reference.
Inspection is another continuous function of the regulatory body and can take many
forms. The inspectors may form a permanent part of the inspection unit, or may be drawn
from other parts of the regulatory body as required. Project managers or supervisors should be
appointed to plan and monitor the work of all inspections performed for a facility and draw
the results together. An inspection may result in a requirement for additional review and
assessment or for enforcement action. Therefore, there should be strong and effective links
with all other parts of the regulatory body.
The use of resident inspectors may provide benefits such as improving the ability of the
regulatory body to engage in on-site surveillance of systems, components, tests, process and
other activities of the operator at any time. The full-time presence of inspectors can improve
the ability of the regulatory body to identify and respond promptly to problems. With resident
inspectors, inspection frequency and intensity at any given level of human resources can be
more readily optimised, and the regulatory body may be better informed of operator schedules
and hence better able to coordinate its inspection activities with key operator activities that it
wishes to observe. Where resident inspectors are employed, consideration should be given to
locating more than one at a particular site for mutual support. There should be adequate
communication between resident inspectors and the headquarters to maintain regulatory
effectiveness.
The use of non-resident inspectors may demand less in terms of human resources than
the use of resident inspectors. Non-resident inspectors may inspect more than one site, which
may be a more efficient use of limited resources. Alternatively a non-resident inspector may
be assigned to a particular facility and may co-ordinate inspection activities at that facility.
Furthermore, a non-resident inspector is less likely to become unduly isolated from the
activities and decision making of the regulatory body.
Enforcement actions are designed to respond to non-compliance with specified
conditions and requirements. There are different enforcement actions, from written warnings
to penalties and, ultimately, withdrawal of an authorization. In all cases the operator is
required to remedy the non-compliance, to perform a thorough investigation in accordance
with an agreed time-scale, and to take all necessary measures to prevent recurrence. The
regulatory body shall ensure that the operator has effectively implemented any remedial
actions. The organizational structure of the regulatory body needs to enable enforcement
actions to be taken at appropriate level.
The precise role of the regulatory body in emergencies varies considerably between
states, depending on how it is organized to respond to emergencies in general. In many states,
the regulatory body has an advisory function for the authority responsible for emergency
preparedness. It will therefore be necessary to set up procedures to draw together the
necessary resources when required, and to exercise them as appropriate. The structure of the
regulatory body should clearly indicate a responsible person or group in charge of co58
ordinating the development of procedures, liasing with other organizations involved in the
overall emergency preparedness and conducting the exercises.
The regulatory organization needs an administrative support that is an organizational
unit dedicated to general administrative work.
A regulatory body is by its very nature engaged in activities that require professional
legal support. The legal support can be provided as part of the staff of the regulatory body or
provided by another governmental body or obtained through contract. The regulatory body
should be structured to recognise either implicitly or explicitly the interface of legal functions
with technical and management functions. Activities typically requiring professional legal
participation include, e.g. development of basic legislation and regulations including
compatibility with international conventions and agreements, providing legal advice and
representation of the regulatory body in the case of enforcement activities and at the court of
law.
If a regulatory body or its dedicated support organization does not have an adequate
number of qualified personnel or the workload does not justify the recruitment of a full-time
staff, consultants may be used to perform selected tasks. The technical qualifications and
experience of such consultants are at least at the same level as the staff of the regulatory body
performing similar tasks. More generally consultants are used by the regulatory body to assist
in performing tasks requiring an additional level or area of expertise which may arise
occasionally, or to provide a second opinion on important issues. Since the regulatory body
has to evaluate and utilize the work performed by consultants, it defines the scope of the work
to be performed. The consultants are required to provide a detailed written report which
includes the basis and method of evaluation, conclusions and recommendations that will assist
the regulatory body in completing its evaluation.
The government or the regulatory body may choose to give formal structure to the
processes by which expert opinion and advice are provided to the regulatory body. For
example, broadly based advisory committees with membership drawn from other government
departments, regulatory bodies of other countries and scientific organizations can bring broad
perspectives to bear on the formulation of regulatory policy and regulations. Another type of
advisory committee is the technical committee composed of members with a range of
technical skills needed to evaluate complex technical issues. Such committees may have a
defined role in the authorization process. Alternatively, they may be ad hoc, performing a
function similar to that of consultants but for which a number of different skills are needed to
address complex issues. Any advice offered shall not relieve the regulatory body of its
responsibilities for making decisions and recommendations.
The regulatory body encourages facility operators to carry out the research and
development needed to produce adequate argumentation about safety. However, there may be
situations in which the operator’s research and development are insufficient or in which the
regulatory body requires independent research and development to confirm specific important
findings. The regulatory body may need research and development work in support of its
regulatory functions in such areas as inspection techniques, analytical methods or in
developing new regulations and guides. The regulatory body’s organizational structure reflects
these needs either by setting up a research unit or by having staff who can define research and
development needs, initiate, co-ordinate and monitor the work and evaluate the results.
Regardless of how it is carried out, the regulatory body ensures that the research is focused on
59
regulatory needs, whether short or long term, and that the results are disseminated to the
appropriate organizational units.
The actions and responsibilities of many organizations can interact with those of the
regulatory body. Such organization may include government departments, environmental
protection authorities, other bodies with responsibilities for emergency preparedness, physical
protection, water and land use planning authorities, authorities responsible for public,
occupational, health and safety, fire protection authorities, etc. Where regulatory authorities
overlap it may be appropriate to manage the relationship between the bodies by means of a
formal agreement. This should set out each body’s responsibilities, which should lead on any
aspect of overlap and how conflicting requirements should be resolved. In many cases, it may
be appropriate to have regular liaison meetings.
The regulatory body is organized to provide public information regarding its activities,
both on a regular basis and in relation to abnormal events. Information provided to the public
is objective, reflecting the regulatory body’s independence. The regulatory body is as open as
possible while complying with national legislation on confidentiality. This can best be done
by individuals with expertise in the field of public information to ensure that the information
presented is clear and comprehensible. In a large regulatory body, this may warrant the
establishment of a specialized unit.
The safety of facilities and activities is of international concern. Several international
conventions relating to various aspects of safety are in force. National authorities, with the
assistance of the regulatory body, as appropriate, establish arrangements for the exchange of
safety related information, bilaterally or regionally, with neighbouring States and other
interested States, and with relevant intergovernmental organizations, both to fulfil safety
obligations and to promote co-operation. The involvement of the regulatory body in
international co-operation, arranged by means of multilateral or bilateral agreements, could
consist of exchange of information, mutual assistance in regulatory activities, staff training,
regular staff meetings on specific subjects and other matters. Multilateral co-operation could
be organized using different approaches; for example, regional approaches, multilateral based
on design or type of facilities concerned. The regulatory body may also be involved in
fulfilling national obligations under international conventions. These may require subsequent
actions as appropriate.
In the following, different types of organizational arrangements are described as
examples of how the above responsibilities and duties can be organized.
2.2.2. Examples of regulatory organizations [15]
2.2.2.1. Finland
STUK — Radiation and Nuclear Safety Authority acts as the regulatory body for
nuclear power plants in Finland. STUK maintains jurisdiction over nuclear safety, radiation
protection, pressure vessel, and nuclear material and safeguards. STUK gives detailed
technical and administrative instructions relative to the design, construction, commissioning
and operation of nuclear power plants in so called “YVL” guides. Organizational scheme is
presented in Fig. 8. At the end of the year 2000, STUK employed 290 persons. STUK has a
staff of approximately 80 inspectors for the supervision of nuclear power plants (4 units).
Basic educational level of the inspectors of STUK is: approximately 20% engineers, 70%
graduate engineers (diploma) or a corresponding degree, and 10% with a higher degree. There
are training policies and guidelines for the training of inspectors.
60
FIG. 8. Finland — organization of STUK.
Total finance in 2000 was 129 million FIM (22 million Euros). The sources of funding
of STUK were as follows: states funding allocations (42%); income from monitoring under
public law (29%); expert services (23%); external funding for joint venture (6%), other
funding (2%). Expenditure by sector in 2000 was: nuclear safety (30%); research (29%);
services (21%); radiation safety (8%); environmental radiation monitoring (4%); preparedness
(4%); information (4%).
Regulatory oversight including respective direct costs such as contracted research
activities carried out by STUK is directly charged from the utilities. Other sources of STUK
incomes are the governmental budget and some contracted services. Overhead expenses are
divided to different organizations in relation of working hours carried out. Emergency
preparedness, public information and international and domestic cooperation are paid from the
governmental budget.
2.2.2.2. Switzerland
The legal basis for the regulation and supervision of nuclear activities are: The nuclear
law (1959), the federal amendment to the nuclear law (1978) and the Federal Ordinance about
the supervision of nuclear installations (1983). According to the Ordinance the Federal
Nuclear Safety Inspectorate (HSK) exercises supervision over nuclear installations in
Switzerland. Its main tasks are the establishment of the safety review to be delivered to the
federal government with regard to the granting of a general licence or of permits for
construction, operating, etc. of nuclear installations, and the surveillance and inspection of
these installations. Organizational scheme is presented in Fig. 9.
61
Direction
HSK
Department
Mech. & Electrical
Equipment
Electrical
Engineering
& I &C
Mechanical
& Civil
Engineering
Secretariat &
Central Services,
Scientific Advisor
Safety Research &
International Programme
Co-ordination of
Supervision of NPPs
Human Factors,
Organization &
Safety Culture
Department
Design and Safety
Analysis
Reactor &
Safety
Technology
PSA &
Accident
Management
Department
Radiation Protection
& Emergency Planning
Accident
Consequences
& E P &P
Radiation
Measurement
& Radioecology
Section
Radioactive Waste
Management
Radiation
Workers
Protection
FIG. 9. Swiss Federal Nuclear Safety Inspectorate organization.
The licensee has full responsibility for the safety of his plant. The regulatory body
defines the safety requirements and checks for fulfilment of these requirements. Persons
entrusted with the surveillance may at any time require information and have access to all
documents; they have unhindered access to all installations, offices, and stores.
The inspection personnel belong to HSK as the governmental organization, and also to
private organizations (e.g. for mechanical components, civil structures, and some for radiation
monitoring). The HSK does not have people, who are full time inspectors. Supervision is
carried out by different sections. The co-ordination and inspection section has the duty to coordinate inspection activities. Each site has a site inspector who is a member of this section.
About 70 persons are involved overall in inspection activities of the HSK. They include some
20 persons from private organizations. Inspectors and regulators in the HSK are identical.
Typical qualification is a BS or MS degree and several years of experience in nuclear or nonnuclear industries. Supplemental training in reactor technology and safety is provided in the
first year.
The annual budget of the Inspectorate (HSK) is approximately 6.2 million Swiss francs
(salaries and infrastructure, including the secretariat of the advisory commission (KSA), but
excluding the Commission as such). In addition, some 7 million Swiss francs are budgeted for
external experts and for research contracts. The expenses of HSK are mostly compensated for
by specific revenue from the federal treasury. Fees have to be paid by the applicants/licensees
for all licensing procedures. The operators of nuclear installations are invoiced by the federal
administration for the actual costs of the supervision by the Inspectorate and its experts.
2.2.2.3. United Kingdom
Her Majesties Nuclear Safety Directorate (NSD) as part of the Health & Safety
Executive (HSE) is responsible for enforcing safety and health legislation at any licensed site.
Organization of NSD is presented in Fig. 10. NSD has about 150 inspectors and
90 administrative support staff. About one third of the inspectors are engaged in site
inspection duties, about one third in assessment, with the rest in project management, strategy
and other related duties. There are also a number of inspectors located elsewhere in HSE
providing advice on policy matters. Inspectors are all technically or professionally qualified.
Typically they hold chartered engineer or equivalent status and have suitable experience in an
62
appropriate field. Internal training programmes cover legal and other activities to ensure that
an Inspector is competent to inspect and enforce legislation. NSD does not employ noninspectorial technical or professional staff. Outside experts or specialists are rarely contracted
by NSD to perform inspections but are sometimes contracted to provide assistance or advice
on particular assessment issues.
Chief Inspector
NSD
Division 1
British Energy
Sites
- Inspection
- Assessment
- Projects
- Research
- Strategy
Division 2
British Nuclear Fuels
(BNFL) Sites
- Inspection
- Assessment
- Projects
Division 3
General and Defence
Sites
- Inspection
- Assessment
- Projects
Director’s Support
Finance/planning
Resource Management
Procedures/guidance
FIG. 10. United Kingdom — Nuclear Installations Inspectorate, organization.
Inspectors appointed by the HSE also have the power to stop unsafe acts or require
improvements to be made within given time scales. Some of the conditions attached to the
licence also give the HSE the power to direct the licensee to undertake a specified task (e.g.
shutdown reactors) and the power to consent or approve to certain activities (e.g. items of high
safety significance). These powers are carefully set out so as to not take away the absolute
responsibility of the licensee for safety on the licensed site.
Neither HSE or NSD are involved in licensing of individuals at the nuclear installation,
but powers in the licence conditions exist to enable the HSE to stop any appointment by the
licensee of persons to key safety related posts such as control room operators. NSD’s actions
are subject to internal review processes and in extreme cases can be subject to review by the
United Kingdom courts of law. The Government sets the policy on siting of nuclear
installations, dealing with radioactive waste and decommissioning which NSD implements
through the granting of site licences and its powers under the site licence conditions. HSE sets
policy in respect of work radiation exposure that is enforced by NSD on licensed nuclear
installations and by other parts of HSE for other industrial and medical uses of radioactive
material. NSD also enforces other safety and health regulations in relation to non-nuclear
hazards at licensed nuclear sites.
The Health and Safety Commission also has a group of nuclear experts called Nuclear
Safety Advisory Committee (NUSAC), which provides advice on matters which may be
referred to it or it has decided to take an interest in. NSD makes presentations to NUSAC and
considers its advice.
63
Under the Nuclear Installations Act, HSE recovers most of the running costs of NSD,
together with the costs of any research thought necessary from licensees. Fines, which the
United Kingdom courts of law may impose on a licensee or person, go to the courts and not
NSD.
2.2.2.4. US Nuclear Regulatory Commission
The basic legal and organizational framework for nuclear regulation in the USA has
already been described in 1.4.4. The following section includes a basic description of the
structure and responsibilities of the US Nuclear Regulatory Commission (NRC). The
Commission’s organization chart is set forth in Fig. 11.
Organizational structure of the NRC
The NRC is headed by a Commission comprising 5 members, each appointed by the
President of the USA and confirmed by the US Senate. Several measures have been adopted
to ensure the Commission’s independent, non-partisan character. Commissioners serve for
fixed five year terms and can only be removed for legal cause (e.g. violation of law or
dereliction of duty). The Chairman of the Commission is designated by the President from
among the Commissioners and serves in that capacity at the discretion of the President.
Although the Chairman has some special responsibilities regarding management of the
agency, each Commission possesses and equal vote on policy matters. If removed as
Chairman, the person may remain on the Commission for the remainder of his or her term of
office. One of the commissioners’ terms expires each year, providing a regular rotation of
membership. Commissioners may be re-appointed. However, to avoid partisanship, no more
than three of the five commissioners can be members of a single political party.
A few years ago, the NRC was somewhat restructured along the lines of a corporate
business model. In particular, two new officers were designated to manage major
organizational functions. A Chief Information Officer (CIO) was designated to be responsible
for all information technology, communication and computing capabilities. Similarly, a Chief
Financial Officer (CFO) was designated to deal with resource and budget issues. The
Executive Director for Operations (EDO) continues to be the Chief Operating Officer of the
Agency. The EDO maintains management supervision over all NRC’s three main operating
divisions — Materials, Research and State Programmes; Reactor Programmes; and
Management Services. As indicated in Fig. 8 organization chart, these three Divisions
supervise the activities of the various NRC offices covering specific areas of the Agency’s
responsibility. These cover all the traditional areas of regulatory supervision, including
standard-setting, licensing, inspection and enforcement. A number of offices related to the
Commission’s overall administrative functioning are directly supervised by the Commission,
itself. Such offices include: Inspector General; Congressional Affairs; Public Affairs; General
Counsel; and International Programmes. The Commission’s various advisory bodies (such as
the Advisory Committees on Reactor Safeguard and on Waste) also report directly to the
Commission.
Consistent with the large size and geographic breadth of the US programme, the
Commission has also established four regional offices (in Pennsylvania, Georgia, Illinois and
Texas). These regional offices provide a direct link to state and local governments and
individual installations through resident inspectors stationed at each nuclear power plant.
64
The role of the Office of the Inspector General should be highlighted. This office is
functionally independent of the Commission, issuing reports on how the agency conducts its
business from the standpoint of efficiency, ethics and effectiveness. The office has a separate
budget, approved by the Congress, to avoid any suggestion that the Commission is unduly
influencing its reviews so that the Commission cannot limit its resources if it does not like the
kind of reporting it is getting. As mentioned, the Commission has created two independent
bodies to provide technical advice to the Commission. The Advisory Committee on Nuclear
Waste and the Advisory Committee on Reactor Safeguards (meaning safety) are comprised of
expert scientists and engineers. Law and regulations require that the views of these bodies be
considered in the licensing process.
Regulatory independence and the NRC
Although it is difficult to define regulatory independence, the regulatory framework
within which the NRC functions has been structured to insulate the Commission from outside
influence in its decision making on issues affecting public health, safety, security and the
environment. Key features of this framework are the following:
Separation of functions: As an organization, NRC not only has no responsibility for
promoting or developing nuclear energy, but — importantly — is completely separate from
any other government bodies having such responsibilities.
Political influence: As already noted, no more than three of the five commissioners can come
from a single political party. In a country with two dominant political parties, this helps
protect against partisanship, no matter how much control one party may have on other organs
of government. Commissioners also serve relatively long (5 years) fixed terms, and may also
only be removed for “cause” ( i.e. not because they have lost favor with the current political
leadership.
Conflicts of interest: The Commission implements very strict that prohibit the commissioners
or any of the NRC staff from having a financial or personal interest in entities or subject that
may be subject to their regulatory decisions. Transparency is important in this regard. NRC
employment regulations require annual financial disclosure reports to ensure that improper
relationships are identified and eliminated.
Openness: The concept of transparency goes even further at the NRC. Several laws ensure
that the commission’s decision-making process is conducting in public. For example, the
Government in the Sunshine Act requires advance public notice of meetings, with a right of
attendance by interested parties. The Freedom of Information Act requires broad public access
to any materials used in the decision-making process.
Reporting: An important guarantee of independence is NRC’s ability to provide extensive
safety-related information to the public, media, other governmental bodies, without review or
clearance from any other government agency.
Budget and finance: The NRC covers essentially all of its budget through license fees, as
authorized in an annual appropriations act by the Congress. This “full cost recovery” approach
is believed to provide at least some insulation from political pressures that could result from
having NRC’s resources derived entirely from tax revenues. Further, the NRC is entitled to
65
submit its own budget to the Congress, subject only to review by the President’s Office of
Management and Budget (OMB).
Technical capabilities: For any agency responsible for regulating a complex technology, it is
important to possess adequate scientific, engineering, management, financial and legal
expertise. The NRC’s large staff (almost 3000 employees) reflects high technical competence
and covers cover a wide range of technical areas. This provides important independence from
the regulated industry in terms of assessing information provided by licensees.
Oversight mechanisms: As final insurance against improper decision-making, the NRC
system includes important oversight mechanisms. The internal — but independent — Office
of Inspector General provides a scheduled review of NRC’s management. External oversight
is exercised by the independent judiciary through appeals of NRC decisions to the federal
courts. Congress also conducts oversight that can result in remedial action through legislation
or appropriations.
The eight elements outlined above do not guarantee absolute independence, a status that
is both impossible to achieve and undesirable in principle. However, these elements are
important in assuring that safety judgements are not subordinated to other interests —
political, economic or social. This degree of independence helps maintain public confidence
in the safe uses of nuclear energy, and indispensable prerequisite for its continued use.
NRC implementation of main regulatory functions
In the following is described in greater detail the manner in which the NRC implements
its responsibilities in the main areas of regulatory activity: standard-setting or rulemaking,
licensing, inspection, enforcement, regulatory research and public information.
Standard-setting or rulemaking
At the NRC, regulatory standards are issued through a process called rulemaking. The
process is primarily initiated by the Commission’s technical staff, although any member of the
public can propose that NRC develop, change, cancel or rescind any regulation. The
Commission receives many such requests from environmental organizations and local
organizations. NRC rulemaking is a very open process, with public participation a keystone.
NRC cannot promulgate rules without giving the public an opportunity to make comments.
Before a rule is even drafted, the NRC staff often holds public meetings or workshops to
solicit views on a proposed rule. The preferred approach to rulemaking is to provide advance
notice of a proposed rulemaking in the Federal Register (the daily federal publication that
announces significant government actions). Such an advance notice of proposed rule making
is short, typically about a page long; stating that the Commission is considering adopting a
new rule or changing or cancelling an old one. Some considerations may also be included,
with an indication of initial factors the NRC staff is considering as a basis for the rulemaking.
A period of time (usually not less than 30 days) is provided for comment by stakeholders (i.e.
industry, interest groups, the public). Emergency rules or minor rules may be issued without
public comment, but that is exceptional.
After receiving comments, the NRC staff develops the text of a proposed rule. This text
is also placed in the Federal Register, for specific comment. Depending on the significance of
the issue or on the comments received, the NRC will determine whether to conduct a public
66
hearing on the proposed rule. After comments on the proposed rule are received and
evaluated, and a hearing conducted or denied, a final rule (reflecting any changes considered
appropriate) is published in the Federal Register. NRC rules are subject to challenge in the
federal courts. As previously indicated, such appeals are typically based on whether the
procedure followed in adopting the rule has complied with relevant legal requirements; not
whether the NRC’s technical judgements are correct.
The NRC has recently taken steps to make its rulemaking process even more open and
efficient. The Commission has created a website “NRC Rulemaking Forum” giving advance
notice to the public of rule making and providing a mechanism for receiving comments
electronically. The NRC rulemaking process may appear protracted and cumbersome.
However, it is consistent with the country’s traditions of open and democratic traditions
decision making. It has also been found useful in creating a more stable regulatory system
because Commission decisions are less likely to be challenged or overturned if NRC can
demonstrate that the public has been involved fully and at every stage in establishing
regulatory standards.
Licensing
For some years, NRC’s reactor licensing function has not been particularly active. The
Commission has not received an application for a new nuclear power plant since the late
1970s. However, the Commission has used this period to streamline and update the licensing
process.
The traditional approach to licensing power reactors was a two step process, involving a
separate Construction Permit (CP) and an Operating License (OL). This process is set forth in
Part 50 of the Commission’s rules (in Title 10 of the Code of Federal Regulations (CFR)).
Part 50 lists the extensive requirements such licenses. Extensive evaluation of the licensing
process, urged by the nuclear industry and some in Congress, convinced the Commission that
this two-step process was unnecessarily cumbersome and inefficient. As a result, the NRC
adopted a streamlined, combined CP/OL licensing process that is set forth in Part 52 of the
CFR. Under this approach, an applicant with a pre-approved site and approved design can
obtain a single license permitting him to operate the plant. Part 52 details the requirements for
site and design approvals.
Even under the new Part 52, the reactor licensing process is lengthy and complex. The
following summary identifies the major steps in the NRC process:
x The applicant must submit a safety analysis report (SAR) covering essential factors
including: design criteria and information; comprehensive site data; safety features to
prevent and mitigate hypothetical accidents; an environmental report on potential impacts;
and economic information for purposes of an antitrust review (analyzing possible
competitive economic effects).
x The application must also be reviewed by the Commission’s independent Advisory
Commission on Reactor Safeguards (ACRS).
x The NRC staff prepares an environmental statement that is issued for public comment.
67
x A public hearing on the application is required before one of NRC’s atomic safety and
licensing boards (ASLB). An ASLB is comprised with 3 members, two of which have
technical backgrounds and one who is lawyer. Typically, an ASLB is chaired by the lawyer,
who is expected to deal with legal and procedural issues.
x During this process, the Commission may issue a limited work authorization (LWA) to
permit certain site preparation and initial construction activities on a “reasonable
assurance” that the plant will meet safety and environmental requirements.
x After the public process has been completed a final safety analysis report (FSAR) is
prepared, setting forth details justifying the issuance of the license.
x Under the Part 52 process, the Commission may issue an early site permit (valid for 10–
20 years) and a standard plant design certification (valid for 15 years). A number of sites in
the USA have received early site approval. Also, several standardized plant designs have
been certified. A hearing is mandatory under Part 52, after completion of the ACRS and
NRC staff reviews. An important benefit of the combined Part 52 license is that issues
resolved in early site permit or design certification proceedings cannot be considered at the
combined license stage.
Even in the absence of applications for new nuclear power plants, the NRC has been
confronted with important licensing issues. The first of these is license renewal. Nuclear
plants in the USA were originally licensed for 40 years. A number of operating plants are now
approaching the end of their license terms. This raises the issue of whether (and if so, for how
long) they should be authorized to continue operating. With over one hundred operating
reactors in the USA, the NRC anticipates a large number of requests for license renewal. The
commission’s regulations in Part 54 of Title 10, Code of Federal Regulations, establish
detailed safety requirements for license renewal. The NRC’s primary focus in it license
renewal review is on so-called “passive” and “long-lived” structures and components (e.g.
reactor vessel, reactor coolant pumps, piping, steam generators, pressurizer, valve bodies and
pump casings). A must demonstrate that any ageing effects will not unacceptably effect the
safety of the plant. License renewal also requires another environmental review,
supplementing the original review, for the purpose of assuring that extended operation will
not have unacceptable impacts.
A second major licensing issue confronting the NRC is license transfer. Restructuring
and deregulation of the electricity industry for economic reasons has accelerated in recent
years in the USA. New companies are getting into the business of generating electricity, while
other companies are leaving the business or merging into new legal entities. Where a new
legal entity takes over an existing nuclear plant, continued operation will require a transfer of
the current NRC operating license. For this to happen, the Commission must make a
determination that the new operating organization has the technical, management and
financial capabilities to operate the reactor safely.
Inspection
The third key regulatory function is inspection. NRC conducts a wide range of different
types of inspections of nuclear reactors, fuel cycle facilities and other users of nuclear
material. For nuclear reactors, the Commission inspection programme is primarily conducted
68
through a system of resident inspectors. The Commission has assigned at least two resident
inspectors to each site, with additional inspectors for sites with multiple reactors. Resident
inspectors continually monitor licensee activities on the site, both obtaining and transmitting
early information concerning plant conditions and facility events. The resident inspectors
provide direct contact between NRC management and the licensee. They also evaluate what
additional inspection activities may be needed that they are not competent to conduct
themselves. Many of these special inspection activities are conducted from the NRC’s four
regional offices and some from the Commission headquarters. Specialist inspectors from
headquarters or regional offices typically cover such as radiation protection, instrumentation
and control, earth sciences and fire safety. In terms of overall inspection effort, the NRC
spends an average of approximately 3250 inspection hours (about 6 person-years) on each
reactor annually. The NRC has also developed specific reactor inspection programmes for the
major phases of nuclear power plant construction and operation, including: pre-construction
activity, construction permit activity, pre-operational phase, start-up phase, operations phase
and decommissioning phase.
Outside the power reactor field, NRC also conducts approximately 1700 health and
safety inspections of nuclear materials licensees annually.
Qualification requirements for NRC inspectors include: a college degree in engineering
or physical science, experience in the nuclear industry (except for interns), onsite inspection
training, qualification board and certification and periodic refresher training. The NRC
provides an extensive training and certification programme for inspectors at its training center
in Chattanooga, Tennessee. Much of the training is done through reactor simulators at the
training center on full-scope simulators covering most major reactor designs used in the USA.
Each NRC inspection is fully documented in a formal report that includes: scope of the
inspection and conclusions on the effectiveness of the programme inspected, licensee
management and quality assurance programme, strengths and weaknesses of the licensee,
compliance with NRC requirements, findings to support conclusions and determinations on
violations (generally dealt with in a separate enforcement proceeding).
Finally, with regard to inspection, it should be noted that the NRC has recently
implemented a new reactor oversight process utilizing a risk-informed, performance-based
approach focusing on safety issues deemed of greatest importance. This approach aims at refocusing inspection effort and reducing the burden to both regulators and operators by taking
advantage of risk insights. Although it involves the entire range of regulatory activity, it is
particularly relevant to the inspection and enforcement functions. This new approach is
discussed in some detail in 6.3.1 — NRC’s risk-informed, performance-based assessment
programme.
Enforcement
The fourth key regulatory function is enforcement. The importance of the enforcement
function is underlined by the fact that NRC maintains an office of enforcement that is separate
from organizational bodies conducting regulatory inspections. Requiring inspectors to justify
the need for enforcement action by another Commission body, is not only a check on overzealous inspectors, but encourages full documentation of violations. The objectives of NRC
enforcement action are to deter licensees from failing to comply with NRC regulatory
69
requirements and to encourage licensees to promptly identify and to correct any violation of
safety significance.
Three types of enforcement actions are employed by the NRC: notice of violation, civil
monetary penalties and orders to modify, suspend or revoke licenses.
Violations are ranked by their significance from severity level I (most serious) to
severity level IV (least serious). NRC considers four factors in determining the level of
significance: actual safety consequences, the potential or future safety consequences, impact
on NRC’s regulatory functions, intent of the violation (e.g. whether the licensee committed
the violation deliberately or was merely careless, or did not understand the requirement).
In applying its enforcement sanction, the Commission may consider civil monetary
penalties for Level III violations (these are routinely used for Level I and II violations). The
Atomic Energy Act authorizes the NRC to penalize a licensee up to 120 thousand dollars per
day. A more severe sanction would be to close down a facility entirely, an action the NRC is
also authorized to do in cases where the public health and safety may be at risk. The amount
of a civil monetary penalty will depend on several factors, including: type of licensed activity,
type of licensee, severity level of the violation, whether the licensee has been the subject of
significant enforcement action in the past two years or past two inspections, whether the
licensee should receive credit for identifying the violation, whether the licensee has taken
prompt and effective action to correct the violation, whether, in view of all the circumstances,
discretion should be exercised with regard to the amount of the penalty.
In 1999, the NRC assessed over a million dollars in civil penalties. The money obtained
through NRC enforcement does not come directly to the Commission, but it goes to the US
Treasury. For serious violations we do have criminal prosecution penalties.
For serious, intentional or repeated violations, criminal penalties (e.g. imprisonment)
may be applicable. In such cases — extremely rare — the NRC will refer the matter to the
Department of Justice for further investigation and possible prosecution.
Regulatory research
NRC has a very substantial regulatory research programme. The Commission usually
refers to its programme as confirmatory research to make clear that its purpose is to support its
regulatory mission, not the development or promotion of nuclear energy. The programme has
three main objectives: to provide independent information to support regulatory decision
making, to assess the potential safety significance of technical issues, and to prepare the NRC
to deal with future safety issues arising from new designs and technology.
NRC’s research budget, which had averaged about $100 million annually, has been
reduced to approximately $70 million in recent years due to government deficit reduction
efforts and other circumstances. With more limited resources, current NRC research activities
have focused on issues of greatest significance for nuclear safety, including: emerging
technologies (e.g. digital instrumentation and control systems), plant ageing issues,
decommissioning, operating experience, and risk-informed regulatory approaches.
More limited resources have also encouraged the NRC to look for opportunities to
conduct cooperative safety research with other nations in joint bilateral or multilateral
70
projects. The NRC maintains a large cooperative programme with Japan, a joint project with
Russia, and with other countries.
Public information
NRC considers public information one of its most important responsibilities. Public
confidence in the safety of nuclear energy depends, to a great extent, on the openness and
credibility of regulators. NRC maintains a separate Office of Public Affairs that reports
directly to the Commission. Each of NRC’s four regional offices also maintains a public
affairs office. As discussed earlier, a number of laws require the Commission (and all other
US government agencies) to provide a broad range of information to the public, the legislative
branch, and to the press and media. Examples of the wide-ranging materials made available by
the Commission are provided in the next section of this Section — NRC regulatory guidance.
The NRC’s website (www.nrc.gov) provides access to this information in electronic form.
Regulatory guidance
The system through which the NRC provides regulatory guidance is extremely wideranging and diverse. It should be emphasized that this guidance is not directed solely to
licensees. Of course, guidance is essential in achieving an effective regulator-operator
interface. However, it is also important to recognize that the regulatory guidance has many
stake-holders who seek to review this guidance and to utilize it for their purposes. Such stakeholders include: local and state governments having important roles in the regulatory process;
other federal agencies; interest groups (i.e. local community groups, environmental
organizations);the press and media; other nations; international organizations; and members of
the general public. It should not be ignored that the primary consumers of regulatory guidance
are NRCs own employees, who will be expected to conduct their responsibilities consistently
with agency policies and standards.
NRC guidance ranges from highly formal documents that are strictly binding on
licensees and NRC staff, to less formal guidance on general Commission policy. This
guidance is also multifunctional, ranging from organization and management procedures,
through standards and technical specifications, to inspection and enforcement requirements.
This guidance also covers many different subjects.
An important feature of NRC’s guidance system is that virtually everything NRC
produces as a guideline is publicly available, resulting in a highly transparent process. Finally,
another important aspect of the NRC system is that it is a process in constant revision and
reinvention. NRC guidance documents are continually reviewed, updated, changed and
cancelled accordingly.
Before discussing some of the most important examples of NRC regulatory guidance, it
may be useful to have a general overview of the types of documentation developed and made
available by the Commission. Table VII — Survey of USNRC guidance documents provides
such an overview.
71
TABLE VII. SURVEY OF US NRC GUIDANCE DOCUMENTS
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
Code of Federal Regulations — Title 10
Regulatory Guides
NRC Legislation
NRC Inspection Manual
ADAMS
Federal Register Notices
Standard Programme
Enforcement Reports
Inspection and Assessment Reports
Operational Experience Reports
Part 21 Reports
SALP Reports
Technical Reports
Administrative Letters
NRC Bulletins
Generic Letters
Information Notices
Regulatory Issue Summaries
Inspector General Reports
Commission Meeting Transcripts
Preliminary Notifications
Speeches
Information Digest
It would not be either possible or useful to attempt to describe all of these documents.
However, they can be easily accessed through the Internet, to provide a detailed picture of
NRC’s regulatory approach.
The legal pyramid of guidance documents
As in most other nations, the legal pyramid in the USA is comprised of the fundamental
law or constitution at the top, regular legislative acts or laws at the next lower level,
regulations at a lower level still, with technical standards and regulatory guidance at the
lowest level. For the USA, the top of the pyramid is occupied by the US Code Annotated, the
official compilation of laws enacted by the Congress. To the extent that these laws sometimes
adopt specific requirements that must be applied by the NRC, they could be considered a form
of regulatory guidance.
Code of Federal Regulations: However, the highest level of material that can be properly
considered NRC guidance is probably the next lower level, which is occupied by the code of
federal regulations (CFR). The CFR comprises the regulatory enactments of all US Federal
agencies. Title 10 of the CFR contains energy-related regulations, including those
promulgated by the NRC. These regulations are promulgated through formal agency
procedures, typically involving the requirement for public notice and opportunity to comment.
Title 10 contains basic standards generally applicable to all NRC licensees, with a range of
technical references. The Index to Title 10 is about 4 pages and lists all subjects in the CFR
that pertain to the business of nuclear regulation. However, only a few parts of the CFR need
72
special mention here. Examples of those particularly relevant to the regulation of the safety of
nuclear reactors include:
Part 2
Part 20
Part 21
Part 25
Part 50
Part 51
Part 52
Part 54
Part 55
Part 100
Part 171
rules for licensing proceedings.
radiation protection standards.
reporting defects/non-compliance.
fitness for duty reports.
licensing of production and utilization facilities (NPPs).
environmental protection.
early site permits/standard designs.
NPP license renewal.
operators licenses.
reactor site criteria.
annual fees for reactor licenses.
NRC regulatory guides: An important category of NRC guidance is regulatory guides (see
Table IV, number 2). These are designed to provide guidance to licensees and applicants on
implementing specific NRC regulations. They explain the methodologies and techniques used
by the staff in evaluating certain problems or accidents. They also provide specific data
needed by the NRC staff in reviewing permits or licenses. They inform a licensee what he has
to submit for the purpose of obtaining authorization to conduct a licensed activity. The
regulatory guides fall within 10 divisions, as follows:
x
x
x
x
x
x
x
x
x
x
Power reactors.
Research and test reactors.
Fuels and materials facilities.
Environment and siting.
Materials and plant protection.
Products.
Transportation.
Occupational health.
Antitrust and financial protection.
General.
NRC inspection manual: Very important document is the NRC inspection manual that is
primarily intended to guide NRC inspection staff in regulatory activity. However, it also
provides guidance to licensees and public on how NRC conducts its work including
procedural and organizational matters. The manual is an internal document, it is not subject to
the level of outside review or public participation like the Code of Federal Regulations.
NUREG Documents: Somewhat below the regulations and regulatory guides there are reports
in a numbered series designed NUREG Documents. The series was begun very early in the
history of the Atomic Energy Commission. NUREG Documents are technical reports on
subject of broad interest. They are not regulations, nor even mandatory documents, but they
provide important on technical subjects of broad interests. They also include directories,
manuals, procedural guides for internal NRC use, as well as the proceedings of meetings or
conferences on technical subjects. International agreements are also set forth in NUREG
Documents. Generic environmental impact reports, which are general statements about the
impact of certain kinds of nuclear activities on the environment that are used in the licensing
73
process are also included in this series. Reports about contracts the NRC has negotiated with
other organizations are a final category of NUREG.
Generic communications: Because they do not fit in any other category, NRC has included a
number of documents in a series called “Generic Communications”. The category can include
administrative letters to licensees about aspects of their work that are concerned to the
Commission. The series also includes bulletins on technical or administrative matters,
circulars, generic letters and similar documents (for example, those relating to a common
mode problem in a reactor system). Information notices and regulatory issues summaries are
also circulated to the public. These concise summaries describe the handling of regulatory
issues of particular interest.
Inspector General reports: The Inspector General issues annual and semi-annual reports on
specific topics providing the reports of his investigations on NRC management practices to
ensure efficiency, effectiveness and integrity. This is the important mechanism of the NRC’s
internal quality assurance process. The Inspector General may also report on conduct by
licensees where that conduct affect NRC regulatory programmes. Inspector General reports
are read very carefully on the subject of great interest.
Accessing NRC regulatory guidance documents: The first stopping point for anyone seeking a
particular NRC guidance document is the agency’s website at www.nrc.gov. The site is a userfriendly clearing-house for the complete range of NRC documentation. In addition to the NRC
website, another avenue for research into the Commission’s guidance documents has recently
been developed. ADAMS is the acronym for NRC’s new automated data acquisition and
management system, an information technology engine that puts every piece of paper in the
NRC system into an electronic form that can be accessed by authorized persons. ADAMS will
permit rapid access to every aspect of the NRC regulatory guidance system, enabling the
Commission to communicate with its licensees, the public and other people.
74
75
Office of the
Inspector General
Office Nuclear Materials
Safety & Safeguards
Chief Information
Officer
Office of Public
Affairs
Region III
Chicago, IL
Region II
Atlanta, GA
Region I
Philadelphia, PA
Atomic Safety and
Licensing Board
Office of Secretary
of the Commission
Office Small Business
and Civil Rights
Region IV
Arlington, TX
Incident Response
Operations
Office of
Human Resources
Deputy Executive Director
for Management Services
Office Commission
Appellate Adjudicat
Office of General
Counsel
Office International
Programs
FIG. 11. US Nuclear Regulatory Commission — organization.
Office of
Investigations
Office of
Enforcement
Office of Nuclear
Reactor Regulation
Office of
Administration
Office of State and
Tribal Programs
Office of Nuclear
Regulatory Research
Deputy Executive Director for
Reactor Programs
Executive Director
for Operations
Chief Financial
Officer
Office of
Congressional Affairs
Deputy Exec. Dir. for Materials,
Research and State Programs
Advisory Committee
on Reactor Safeguards
Advisory Committee
on Nuclear Waste
The Commission (5 commissioners)
2.3. LICENSING OF A NUCLEAR POWER PLANT
2.3.1. IAEA approach to licensing
The Convention on Nuclear Safety presents in its Article 7 that the legislative and
regulatory framework shall provide for a system of licensing with regard to nuclear
installations and the prohibition of the operation of a nuclear installation without a license.
The license means any authorization granted by the regulatory body to the applicant to have
the overall responsibility for the siting, design, construction, commissioning or operation of a
nuclear installation.
The licence is an official document that authorizes a specified activity or set of
activities in connection with nuclear installations and establishes requirements and conditions
governing the performance of these activities. Such sets of activities are often: siting,
construction, commissioning, operation and decommissioning. Further details concerning
licences are given in 5.1.2.5.
In this respect, the licence and its set of conditions fulfils several functions: the licence
may be the appropriate (and best) means to develop, interpret and complete the
legislation/regulation when the latter follows non-prescriptive approach, and it will make
mandatory appropriate parts of guides and standards, as well as specific proposals made by the
applicant (this is usually the case in a non-prescriptive approach, where the choice of methods
or solutions will be based on such proposals and submitted to the regulatory body for
approval). The licence could thus fulfil a part of the functions attached to regulations in the
case where appropriate regulations are not available.
The licence is the final result of evaluation (review and assessment) of the application
and formulates the conclusions and decision(s) of the regulatory body relative to it and, as
such, it gives the applicant the formal authorization to proceed within the limits set, on the one
hand, by the legislation and, on the other hand, by the conditions included in the licence.
Licence conditions are always mandatory and have the force of law. They have to be included
in the licence either explicitly or by reference or attachment. Licences may include (parts of)
legislation/regulation and other relevant documents by quoting, by reference or by attachment.
In the licensing process, the licence is at the key-point of starting a new set of activities
of the “applicant” and where the “applicant” becomes a “licensee”.
The licence with its conditions is a living document: it can be adapted (sometimes it
has to be adapted) to a changing situation (e.g. modification of the plant; experience feedback;
new knowledge brought by research); it can also be suspended or revoked. Only the regulatory
body has the legal power to modify, suspend or revoke a licence. The licensee may request a
modification of its licence, but it has to do so through a new application.
More detailed guidance on the format and content of licence document is given in
5.1.2.5.
76
2.3.2. Examples of licensing practices
2.3.2.1. USA
The current trends in the USA in the licensing and re-licensing of nuclear power
plants are presented in 2.1.2.4.
2.3.2.2. United Kingdom
In the UK, the NSD as regulatory body grants only one licence at the creation of the
nuclear facility. At each new stage in the life of the facility, that means also at each stage of
the licensing process, the initial licence will be amended and the set of licence conditions will
be adapted to the new stage. The British licence contains a standard set of 35 licence
conditions. The NSD can modify a licence condition without delay and without a possibility
of appeal. Each nuclear site licence has conditions attached that have the force of law and
which place either absolute requirements or require the making of adequate arrangements and
compliance with those arrangements. A fundamental feature of one condition is the
requirement for the licensee to demonstrate the safety of the proposed operation in a document
known as the “safety case”, prior to the start of that operation. Breach of any law, regulation
or licence condition is a criminal offence and the offender may be prosecuted in the United
Kingdom courts of law.
2.3.2.3. Switzerland
In Switzerland, the licence is a general authorization usually for a whole set of
activities involving one nuclear facility (nuclear power plant or other nuclear facility including
associated radiological aspects) or for a single step in the case of a „small“ project such as a
radiochemical laboratory with only aspects of radiological protection. In the case of the
nuclear facility, it is the government itself (Federal Council) that has the exclusive
competence to grant the licence. A modification of a licence condition needs re-issuing the
licence along the licensing procedure, i.e. including consultation and possibility of appeal.
However, in case of urgency, the Swiss safety authority (HSK), has the power to issue an
order to modify a particular licence condition or even to suspend the licence, but this has to be
eventually confirmed by the licensing authority.
Within the frame of a valid licence, the HSK defines sets of the licensee’s activities for
which its approval is necessary prior to starting specified activities. Upon its approval, the
Inspectorate has the competency to give the corresponding authorizations directly to the
licensee and does it in the form of issuing “execution permits”. This gives to the Inspectorate
a practical and efficient means of controlling the licensing process (e.g. selected parts of
construction work; manufacture of important components; assembling and wiring on site; sets
of commissioning tests; start up after refuelling or after modification or repair; etc.).
2.3.2.4. Licensing and commissioning of nuclear power plants in Finland [16]
In Finland, licensing procedures are presented in the Nuclear Energy Act and Decree.
Licensing documents are handled in more detail in Section 4. Applications are sent to the
Council of State and the administrative body handling the applications is the Ministry of
Trade and Industry. According to the law STUK is the expert body to review the nuclear
77
safety aspects. STUK gives its statement including its stand on nuclear safety and safety
assessment report to the Ministry.
The siting and construction of a nuclear power plant requires the decision in principle of
the council of state stating it is in line with the overall good of society. According to the Nuclear
Energy Act, the decision in principle shall be given to parliament for review so that parliament
may reverse the decision in principle as such or may decide that it remains in force as given. In
the application, one or several plant site and plant type options may be given on which a decision
will be made later. In accordance with Nuclear Energy Act, STUK makes a preliminary safety
assessment of the application. When preparing the safety assessment, STUK invites comments
on the assessment from the advisory committee on nuclear safety and, where necessary, also
from other expert organizations.
A nuclear power plant construction licence as well as an operating licence is applied for
from the council of state. STUK issues statements on the applications for a construction licence
as well as for operating licence. The statements are supplemented with safety assessments. When
preparing the safety assessments, STUK invites statements on them from the advisory
committee on nuclear safety and, where necessary, also from other expert organizations. The
prerequisites for granting a construction and operating licence are prescribed in the Nuclear
Energy Act. In its safety assessment STUK takes a stand on the fulfilment of statutory
requirements as regards the issues to be reviewed by STUK.
According to the Nuclear Energy Decree, the various phases of nuclear facility
construction may be started only after STUK is satisfied for each phase. STUK exercises
detailed control over the construction of the facility. This control aims to ensure that the
conditions of the construction licence, the regulations which apply to pressure vessels and the
approved plans are complied with and that the nuclear facility is built, also in other respects, in
accordance with the regulations issued by virtue of the Nuclear Energy Act. During construction,
control is focused on the working methods in particular to guarantee high quality. The licensee
shall appoint a responsible manager and his deputy for the construction of a nuclear facility who
have approval from STUK for this job. The qualifications required of the responsible manager
are presented in the Nuclear Energy Decree.
Pursuant to the Nuclear Energy Decree, STUK ensures that the operating organization is
adequate and appropriate and that the individuals participating in the use of nuclear energy meet
the qualifications required and that proper training is arranged for them. According to the
Nuclear Energy Decree, the licensee shall appoint a responsible manager and his deputy for the
operation of a nuclear power plant who shall have approval from STUK for this job. Pursuant to
the Nuclear Energy Decree, the operator of the facility systems in the main control room of a
nuclear facility must have STUK's approval for the job.
A trial run is an essential part of a nuclear power plant's commissioning. It serves to
demonstrate that the plant is built and operates according to design. The trial run is divided into
the following main parts: systems tests, fuel loading and pre-criticality tests of reactor systems,
reactor criticality and tests at low power, and tests at various power levels. STUK controls
nuclear power plant trial run by reviewing the overall trial run plans and programmes, by
witnessing the tests conducted at the power plant and by inspecting the trial run result reports.
Nuclear power plant operation is considered to begin when the loading of nuclear fuel
into the reactor is started. At this stage, to ensure that the plant conforms to the regulations that
78
apply to it, STUK makes a specific inspection to ensure that the plant and the operating
organization are ready for the operation. Reactor loading may be started when STUK has
approved the loading application and the reactor and fuel behaviour reports for the first fuel
cycle. The reactor may be made critical and brought to a higher power level in conformity with
STUK's decisions.
When the trial run has ended, the licensee and STUK will carry out an overall
assessment of the results. Based on the results of the trial run, also the technical specifications
are reassessed. Based on the assessment, the licensee makes any necessary changes which are
then approved by STUK.
2.3.2.5. Licensing in Germany: principal parties involved [17]
Licensing authorities
In Germany there is no central licensing authority like in most countries. The
implementation of the nuclear licensing procedure is within the competence of the supreme
authorities of the Länder but the Federal Government retains the ultimate legal power and the
right to overrule local decisions, if necessary. Thus, the construction and operating licence for
a nuclear facility will be granted by the respective Land authority acting as the nuclear
licensing authority. There is co-operation between federal supervisory authorities and nuclear
licensing authorities.
The Supreme Land authorities (ministries), appointed by the Land governments, are
responsible for licences and interim decisions in accordance with the Atomic Energy Act as
well as their withdrawal and revocation. In general, these authorities are the respective
ministries for the environment or economic affairs of the Länder. These authorities also
supervise facilities according to the Atomic Energy Act and the use of nuclear fuels outside
the facilities. In individual cases, they may appoint subordinate authorities to carry out this
task.
Federal offices and advisory committees
The Federal Office For Radiation Protection (BfS) was established as the sovereign
supreme federal authority in Salzgitter in the portfolio of the Federal Minister For The
Environment, Nature Conservation and Reactor Safety (BMU). This Federal Office performs
administrative tasks in the fields of radiation protection, nuclear safety and the transportation
of radioactive substances and radioactive wastes. It supports the BMU in technical and
scientific matters and also does research in fulfilment of its tasks.
Among other things, the Federal Office for radiation protection is responsible for:
x State custody of nuclear fuels;
x Construction and operation of plants of the federal government to secure and permanently
store radioactive wastes;
x The transportation licence for nuclear fuels and large sources, as well as its withdrawal
and revocation;
x The licence for storage of nuclear fuels outside of state custody.
79
In addition, the Federal Office is the Federal Government Centre for the monitoring of
environmental radioactivity and keeps the radiation protection register. The radiation
protection register includes data on the radiation exposure of persons exposed to radiation due
to their profession, In order to keep watch over the values of the maximum permissible dose
as well as data on compliance with the principles of radiation protection. The Federal Export
Agency and the customs authorities of the Federal Minister of Finance, respectively, are
responsible for licensing the import and extort of nuclear fuels.
The following advisory commissions and one co-ordination panel (Federal
Government/Länder) are available to the BMU for the purpose of federal supervision of the
Länder:
x Reactor Safety Commission (RSK).
x Commission on Radiation Protection (SSK).
x Länder Committee for Nuclear Energy.
RSK and SSK prepare recommendations for the BMU concerning special safetyrelated matters in general or on a particular nuclear power plant.
The Reactor Safety Commission advises the BMU on all safety-related matters related
to nuclear reactors and nuclear fuel cycles. In general, the RSK consists of 18 members who
represent the different technical areas of nuclear engineering, as e.g. constructional
engineering, measurement and control engineering, reactor physics, systems control
engineering and the science of materials. As a general rule, membership is limited to three
years and constitutes a personal honorary function without allowing substitution. The
members are appointed by the BMU. They are independent and not bound by directives.
The Commission on Radiation Protection has the task of advising the BMU in all
matters related to the protection against the hazards resulting from ionising radiation. In
general, the SSK consists of 17 members who need to have special knowledge of one of the
following main areas: biophysics, radiochemistry, radiology and nuclear medicine,
radioecology, radiobiology, non-ionising radiation, radiation genetics, radiation protection
medicine, radiation measurements technique and radiation protection technique. As with
RSK, the SSK-membership constitutes a personal honorary function. As a general rule, the
members are appointed by the BMU for a period of three years. They are independent and not
bound by directives.
The Committee for Nuclear Energy debates and co-ordinates questions related to the
application and interpretation of statutes and ordinances pursuant to nuclear law and radiation
protection law. With a BMU-representative in the chair, it consists of referees from the other
Federal ministries as well as the department heads/functional department referees of the
Länder ministries. As an Advisory and Co-ordination body of the Federal government, its
decisions are only recommendations, in practice, however the Committee for Nuclear Energy
plays an important role.
According to the Atomic Energy Act, the construction, operation and possession of
nuclear installations are subject to continuous supervision. The supreme authorities of the
Länder are responsible for exercising supervisory and control functions, which they may
delegate to subordinate agencies, in individual cases. In general, independent experts or expert
80
organizations, namely the technical inspection agencies (TÜV) are involved. In addition,
import, export other professional handling and transportation of radioactive material, as well
as construction and operation of final repositories for radioactive waste are subject to
governmental licensing and supervision.
Länder authorities and technical support organizations (TÜVs)
Within the regulatory body of a state (Land) approximately 5 to 10 person-years per
nuclear power plant unit and year are spent for inspection and supervision. Typically one to
three inspectors are in charge of inspections regarding nuclear safety of one nuclear power
plant unit. Inspection regarding e.g. radiation protection, often is delegated to subordinate
governmental agencies. In addition, supervision for industrial safety and environmental
matters, as legally required for all types of industrial activities is carried out by other
competent agencies.
In general, for all supervisory and inspection programmes independent experts are
assigned by the Länder authorities for examination of reports, reported events, calculations,
technical specifications, safety assessments for modifications and for conducting or assessing
in-service inspections. In most cases, Technische Überwachungsvereine (TÜVs) are assigned
as expert organizations. There are several TÜV-Organizations in Germany, historically
assigned to and working mainly in the individual Federal Länder. Recent developments go for
the formation of larger organizations (holdings, Ltd., Corporate) serving the needs of several
Länder. Including non-nuclear inspection programmes (e.g. for cranes, fire protection,
pressure vessels), which are also carried out by TÜV-personnel, a total manpower of
approximately 30 to 40 man years per nuclear power plant unit each year is spent for
inspection by experts. This does not, however, include safety assessments and expertise for
major modifications, for which a licence is required.
During refuelling outages, the presence of regulatory inspection personnel and experts
at the plant is increased. On average, about 30 experts performing inspections and recurrent
tests are constantly present at the site during the outage. The inspectors of the regulatory body
are in possession of a university degree e.g. engineering, physics, chemical engineering) and
have several years of practical experience in industry, research centres, with technical expert
organizations or in licensing bodies. Personnel of technical expert organizations (TÜV), who
are contracted as experts hold university degrees in technical fields or technical engineering
degrees. For special inspections, e.g. pressure vessel inspection according to the pressure
vessel regulation ordinance, state authorized and licensed inspectors are assigned, also within
the TÜV organizations. The inspectors are trained in professional courses, symposia,
workshops, simulator training courses and, as guests, during actual operation of nuclear
facilities, and by exchange of experience. The inspectors authorized by the supervisory
authorities, as well as experts consulted by them, have access to the nuclear installations, and
may carry out necessary examinations and request pertinent information.
To implement their respective tasks, the staff of the federal ministries and agencies and
of the Länder authorities as well as their material expenses are budgeted within the Federal
and the Länder governmental annual budgets. There are also budgets for research on nuclear
safety and radiation protection.
According to the basic principles of the administration cost act, fees are levied for all
administrative actions in favour of individual persons or private companies. In the case of
81
licensing and supervision of nuclear installations, the Atomic Energy Act provides the
regulation for the charging of costs, including fees and expenses, to the applicant or the
licensee. Details on the respective fees are laid down in the atomic energy act cost ordinance.
For example, the fee for granting a construction licence for a nuclear power plant is set to
2/1000 of the construction costs of the nuclear licensed part of the plant. For other licensing
decisions, fees may range from 1000 to 1 Million DM. In addition, fees for conducting
inspections and measurements are fixed. These fees shall be based on the actual expenses and
will be invoiced to the licensee.
The licensing as well as the inspection authorities may contract experts and expert
organizations (TÜV´s) for expertise and conduct of inspections, provided these expenses are
justified according to the technical needs and difficulties. The expenses for the experts are
reimbursed to the regulatory body by the licensee.
Experts
In the licensing and supervisory procedure pursuant to the Atomic Energy Act or
Radiological Protection Ordinance, the respective authorities may consult experts. Such
consultation by the Länder authorities is normal practice. There are either experts
organizations (e.g. Technical Inspection Agencies such as GRS) or individual experts. The
selection criteria is: technical knowledge, experience, objectiveness, impartiality, neutrality
and reliability. The experts are merely “helpers to the authorities” in establishing the facts of
the case. They do not have any authority to make decisions. Their opinions are subject to the
free evaluation of the evidence by nuclear licensing and supervisory authorities who make the
final decisions.
The essential questions of the examination in the licensing procedure are: (1) Which
requirements are to be fulfilled by systems and components? (2) Can these requirements be
fulfilled according to best practices?
The Atomic Energy Act, the decrees, the general administrative rules and the so-called
technical-scientific regulatory work (as e.g. guidelines, RSK/SSK-recommendations, safety
standards of the nuclear standards committee (KTA-Regeln), German industrial standards
(DIN-Norms) are the measuring instruments for decision-making.
Applicant
In Germany, applicants for the construction of nuclear facilities are in general
independent companies that go on to operate the facility after licensing, i.e. applicant and
operator are one and the same. An exception to this relates to the storage of plutonium and the
treatment and final storage of radioactive substances. In this case, the Federal Office for
Radiation Protection is the applicant and operator.
The manufacturer or supplier of the nuclear facilities, for which the application is
made, supports the applicant in drawing up the application documents.
Involvement of the public
If the licensing authority states that the application, the safety report and the brief
description contain all the necessary information for the citizens, the project can be made
82
public. The planned project will be made public by official printed announcement. Usually,
this is the official gazette for the Land. However, this measure alone is not sufficient, since the
average citizen seldom reads these gazettes. Therefore, it is prescribed by law that the project
has to be announced locally by the press published in the area of the facility concerned.
After public announcement, the most important part of public participation begins. The
application, safety report and brief description are made available for public inspection at the
licensing authority and a suitable location near the project site. During the so-called
presentation period, written objections can be raised. The term “objection” means any kind of
opposition and arguments against the planned project. Thus, there are no formal limitations.
The objections, however, have to be confined to the subject of the procedure. If sufficient
objections are raised within the set period, a hearing will be scheduled.
The Hearing constitutes the conclusion of public participation. This Hearing serves
several purposes. On the one hand, the objections raised within the permitted time are
discussed to clarify the concerns of those objecting. On the other hand, those objecting shall
be granted the right of audience by being given the opportunity to specify their written
objections orally. Further, those objecting shall receive information on other, in many cases
also contrary, opinions.
The Hearing is conducted by a representative of the licensing authority. This person
has to arrange the procedure formally in such a way that all aspects are considered. None of
the objections may remain non-discussed. Therefore, the leader of the Hearing stipulates the
order of the subjects to be discussed at the beginning of the hearing.
The licensing authority has to examine all of the aspects presented and must make a
decision at the end of the licensing procedure. This is a difficult task because of the often
conflicting positions of the different persons involved.
2.3.2.6. Licensing in Germany: legal aspects and procedures of assessment [17]
Objective and reason for an assessment
According to the Atomic Energy Act a licence may only be granted if the licensing
prerequisites are given. This is to be examined by the respective licensing authority which can
either carry out the examinations itself or consult experts. Generally, experts are consulted to
show whether or not protective provisions have been made against damage due to the
construction and operation of the plant in accordance with best engineering practices and if
protection against interference and other impacts by third persons can be ensured.
If a nuclear facility is built, a separate experts opinion is ordered for each partial
licence, as a general rule. Partial licences have to be applied for by the applicant separately
according to the Nuclear Licensing Procedures Ordinance. Thus, the applicant determines the
number of partial licences, as far as there is a legitimate interest in doing so.
Appointment of experts by the authority
Pursuant to the Atomic Energy Act, the responsible authorities are entitled to consult
experts. In general, these experts come from experts organizations. Foremost among these are
Technical Inspection Agencies and GRS. The law, however, also permits consultation with
83
independent individual experts. There are no stipulations regarding special qualification
prerequisites by ordinance, but primarily each expert has to possess technical knowledge and
must be impartial and reliable.
Due to the wide range of technical issues to be clarified when assessing a nuclear
facility, the experts consulted may, upon agreement with the authority, confer sub- contracts
on additional experts, as e.g. GRS. In this respect, the principles on the allocation of subcontracts by experts of the Länder Committee for Nuclear Energy are to be observed.
Documents to be submitted
According to the requirements of the nuclear licensing procedures ordinance, a safety
report, among other things, has to be attached to the application for nuclear licensing,
describing the hazards connected with the plant and the safety measures provided. In 1976 the
Home Secretary (the minister responsible for reactor safety at that time) published “advice
giving outline criteria for a standardized safety report for nuclear power plants equipped with
pressurised water reactor or boiling water reactor”. The publication of the Home Secretary
contains guidance for each section of the outline which should be considered when drawing
up a safety report. A further list, which is the "collection of information necessary for the
examination in the nuclear licensing and supervisory procedures (ZPI), comprises the
documents required for the experts opinion, in addition to the safety report, and which also are
necessary for the accompanying control. The requisition of documents is stated in thematic
order and structured according to submission dates within each subject.
The requisition of documents is subdivided into two categories. Documents of category
“A” are to be submitted for examination of the licensing prerequisites, and documents
belonging to category “B” are related to the fulfilment of constructional requirements or the
accompanying control. The ZPI-list comprises about 50 pages and was developed from the
experiences gained from previous licensing procedures. In particular cases, deviations from it
are possible by non-requisition of single documents stated in the ZPI, or requisition of
additional documents. As a general rule, the required documents are to be submitted by the
applicants.
Assessment criteria
The criteria relevant for an assessment can be ordered hierarchically according to the
their obligatory character. As a matter of course, the Atomic Energy Act and ordinances
belonging to it, as e.g. the radiological protection ordinance, are to be observed as binding.
For nuclear power plants, safety criteria and safety-related guidelines are also to be
observed. The safety criteria include principles on safety-related requirements to ensure
accident prevention according to the Atomic Energy Act. Incidents are listed in the safetyrelated guidelines. If an applicant has based the plant design on this, a licensing authority may
regard the accident prevention requirements as fulfilled.
All directives inferior to ordinances are not legally binding. In general, however, they
represent the “modern most up-to-date science and technology” quoted in the Atomic Energy
Act. An expert has to examine this before their implementation. If need be, he has to consider
the latest operating experiences or latest research results.
84
The Reactor Safety Commission, the Advisory Body of the Federal Minister for the
Environment, Nature Conservation and Reactor Safety, drafted guidelines for pressurised
water reactors and boiling water reactors as a basis for their advisory activities. As the Reactor
Safety Commission debates all significant licensing decisions and makes recommendations on
the respective facts of the case, the RSK guidelines usually also are regarded as assessment
criteria.
In some areas, e.g. over pressure protection for pressure vessels and steam generators,
there are no special nuclear regulations. In this respect, the requirements in accordance with
regulations for conventional engineering are to be adapted to nuclear requirements, taking into
account e.g. aspects of radiation protection.
The nuclear regulatory work is subject to change. It is amended and modified. The
safety standards of the nuclear standards committee (KTA-Regeln) for example are examined
with regard to their relevance to the current situation every five years. The Technical
Inspection Agencies issue loose-leaf summaries for internal use on the nuclear regulatory
work entitled TÜVIS (TÜV information systems) to ensure the application of the latest
regulations. At present, this loose-leaf collection consists of 18 files and is being revised
continuously.
An important tool for assessing the safety of nuclear facilities is the application of
probabilistic methods. It is recommended in the safety criteria for nuclear power plants under
“Principles on Safety Provisions” to determine the reliability of essential safety-related
systems and plant components with the aid of probabilistic methods, as a supplement to the
deterministic overall safety assessment of nuclear power plants. Currently, these are often
applied.
Form and contents of the assessment
It is the objective of the expert organizations to proceed according to uniform rules
regarding the kind and scope of the assessment. For this purpose, when the technical
inspections agencies became associated, the head office for nuclear engineering of the
technical inspection agency (TÜV-Leitstelle Kerntechnik) decided on a standard outline and a
directive for safety assessment requirements for nuclear power plants with pressurised water
reactors and boiling water reactors. Further, there is the “General Guideline on the preparation
of experts opinions in nuclear administrative procedures” of the Home Secretary issued in
1983.
The outline of an experts opinion corresponds to the outline of a standard safety report.
According to the guidelines mentioned above, the introduction of the opinion embodies the
task and assignment of duties. This is followed by a description of the facts of the case to be
examined, all of which are solely based on the application documents.
The assessment criteria for the layout of the respective safety equipment put up by the
manufacturer are stated in the section “assessment criteria” and are examined with regard to
completeness and applicability.
The inspections carried out by the expert for the advisory assessment of the facts of the
case are stated in the section “description of the inspections”. In the simplest case, it is a
matter of comparison with the regulation requirements. Calculations are also carried out by
85
the applicant, sometimes with diverse computer programmes, e.g. in the field of failure
analysis, strength, probabilistic or physical design. In many cases, conservative estimates are
sufficient to substantiate the experts opinions.
The examination of the completeness of supporting material submitted is an important
part of the activities of the experts. It has to be examined, for example, whether or not all
postulated incidents and the resulting loads have been taken into account.
Based on a comparison of the examination results with the safety assessment standards
an experts assessment of the facts of the case is carried out. For this purpose, the positive and
negative results of the examinations are discussed in detail. Should the occasion arise that a
positive overall result can only be achieved by fulfilment of later requirements by the
applicant, these requirements have to be worked out carefully in accordance with the results of
the experts opinion. These requirements, however, must be feasible.
The expert has to sign his opinion personally with the following statement: " hereby
declare to have delivered this opinion impartially according to the best of my knowledge and
belief and free of pre-decided results'.
Licensing steps
The nuclear licensing authority not only has to examine the formal and material nuclear
licensing prerequisites, but also has to observe other regulations under public law.
Even though the authority states that the applicant of the project has fulfilled all
nuclear licensing prerequisites as well as all other regulations under public law, and even if
the result of the environmental impact assessment was positive for the applicant, the nuclear
licence does not necessarily have to be granted. Now, the authority may use its discretion, as
the authority is vested with the so-called rejection discretion according to the German Atomic
Energy Act. This means that the authority may reject the application even if all licensing
prerequisites have been met. Nevertheless, the discretionary considerations have to be
reasonable and, in particular, correspond to the specific appropriation in accordance with the
Atomic Energy Act. Thus, an arbitrary decision will not be allowed. A “discretion” is only
possible if aspects concerning single nuclear licensing prerequisites and other regulations
under public law could not have been examined up till then.
In general, many aspects and partly contrary points of view are being brought together
through the involvement of citizens and authorities. The licensing authority has to consider
decision alternatives thoroughly on the basis of these aspects.
Rejection of the project application
If the licensing prerequisites have not been fulfilled and fulfilment cannot be ensured
by additional conditions, the application for construction and operation has to be rejected.
Preliminary decision
It is possible that the applicant applied for a preliminary decision instead of a licence. It
is permitted by law to issue a preliminary decision on special subjects if the granting of a
nuclear licence depends on a positive response to special items. Thus, only questions at the
86
preliminary stage of a later licensing procedure will be clarified. By this, the preliminary
decision anticipates statements of the later construction or operating licence. It is not
prescribed by law which items can be clarified in advance by a preliminary decision. Only the
preliminary decision on the plant location is expressly stated.
Full licence
The full licence for construction and operation of a nuclear facility is the guiding
principle of the law. In general, however, such a project is so complex that it cannot be coped
with by a single official decision. Therefore, it is common practice with major projects to
divide the entire licensing procedure into several steps. The procedure subdivided into several
sections, each of them ending with a decision-in -part of the authorities, i.e. the partial licence.
Partial licences
The stepwise procedure has several advantages. By subdividing the information
material into several sections the procedure becomes more transparent. The work can be
planned efficiently, thus saving time and costs. Moreover, applicant and licensing authority
can each react more flexible in case of particular, small procedural steps. Above all, this
manner of proceeding respects the principle of best possible danger prevention and risk
precautions as each partial licence must correspond to the state of the art. First of all, an
application by the operator for a decision by the authority on partial licensing procedures is
required according to the law. For this purpose, the applicant has to demonstrate a legitimate
interest in partial licences. The legitimate interest of the applicant consists generally of
securing stepwise his considerable investment. The investment risk can be reduced by the
granting of partial licences.
Legal security is provided insofar as the licensing authority is bound by the licensing
decision made. If the facts of the case do not change and the legal situation does not change to
the disadvantage of the applicant, the applicant can count on the continued validity of the
partial licence issued. The discretionary rejection becomes increasingly limited with each
additional partial licence granted until, finally, the applicant has a legal right to the granting of
the last partial licence, which is normally the operating licence.
Just as with a full licence, the partial licence is a beneficial administrative act. It
permits specified actions to be taken such as excavation, construction of the reactor building
or installation of vital operational or safety systems etc. Usually, a partial licence involves
various conditions and referrals.
The partial licence differs from the full licence only by its limited regulatory content. In
contrast to a full licence, the partial licence does not permit the complete construction and
operation of a plant, but only parts of it. This implies that the nuclear licensing authority has
carried out definitively an examination of and judgement on the licensing prerequisites for
each partial licence.
Preliminary positive overall decision
In the end, the total of all partial licences shall be equivalent to the full licence, but this
can only be achieved, if the parts fit together. Therefore, the partial licences must be related to
87
each other. The alignment can only be made if the total project as planned by the applicant is
kept in view. If, for example, the foundation of the reactor building is licensed by the first
partial licence, it is necessary to know the loads on and floor plan of the building. This, on the
other hand, requires an adequate knowledge of the components, systems and machines which
are to be located in the building. Therefore, a licence for a plant component can only be
granted if the licensing authority has clarified the requirements of the total project at the
outset. This implies a decision on the basic approval of the whole project. The preliminary
positive overall decision represents the necessary linking between the licensed plant
component and tie entire plant as planned.
Announcement of the decisions
The nuclear licensing procedure ends with an announcement of the decision of the
authority. The authority has to promulgate its decision and the grounds for it in writing, and,
of course, deliver it also to the applicant. In addition, the decision has to be delivered to the
objectors as well.
Further, the decision will be announced to the public in the official publication gazette
and the local newspapers in the area of the plant. If more than 300 persons raised objections,
the individual serving of the decision will be replaced by a public announcement.
As only the decision together with the instructions for legal remedy will be published,
and not the grounds for the decision, every citizen has the right to inspect the entire decision
within two weeks beginning with the public announcement at the licensing authority or
another office near the nuclear power plant. Upon request, those who object can obtain the
decision in writing from the licensing authority. For this purpose, important partial licences —
as e.g. the first partial licence or the first operating licence — usually are printed in book
form.
Additional licences
Further to licensing pursuant to the Atomic Energy Act, a series of licences is
additionally necessary due to parallel laws.
Regional planning procedure
The regional planning procedure serves the purpose of examining if and, where
applicable, under which conditions the planned nuclear power plant meets the requirements of
regional planning.
Construction licence procedure
All facilities to be built at a nuclear power plant require a licence according to building
laws just as for conventional construction projects. In general, several partial construction
licences will be granted. The first partial construction licence may not be granted before the
first nuclear partial licence has been granted. In some Länder, the nuclear licensing according
to the Atomic Energy Act includes the construction licence.
88
Licensing procedure according to Emission Control Act
A licence according to the Federal Emission Control Act is required for cooling towers,
conventional boiler systems and start-up boilers.
Permission procedures according to water law
The lowering of the ground water level, the treatment and drawing off of surface water
during construction as well as the tapping and discharge of cooling water later during
operation, all require permissions according to the water law.
Industrial law procedures
Reactor pressure vessels, steam generators and all other pressure vessels have to be
licensed according to the industrial law, particularly with regard to maintaining industrial
health and safety standards.
Plan approval procedure
According to the Atomic Energy Act, the Länder have to establish land collecting
points for the interim storage of radioactive waste produced in their territories and the federal
government has to establish facilities for safe custody and final storage of radioactive wastes.
The construction and operation of these federal facilities as well as all major modifications of
such facilities or their operation are subject to plan approval. The procedure for it is stipulated
in the administrative procedure law.
An important difference between plan approval procedure and licensing is the
placement of all licences and similar official documents under one authority, i.e. the plan
approval authority, unless otherwise stipulated by law. Only the regulations of mining and
deep-storage law are not subject to plan approval.
The plan approval represents an official function with regard to the facility plan. On the
basis of a particularly formal procedure, the admissibility of specified facilities with regard to
all public interests affected shall be determined. Further, all relationships related to public law
between the operator and the persons affected by the plan shall be regulated finally in such a
way that the required licences and similar documents subject to other legislative provisions
are replaced by the decision of the plain approval authority. The incontestability of the legal
continuity of the licence under public law shall be guaranteed by this decision.
The procedure ends with the plan approval decision comprising all licences under the
respective laws regarding areas of speciality. In contrast to the licensing procedure for nuclear
power plants, partial licences are not provided for in the plan approval procedure.
A particular regulation with regard to the mining law is stipulated in the Atomic
Energy Act. The plan approval does not cover the admissibility of final storage according to
the mining and deep-storage law. The decision on admissibility is a matter for the responsible
mining authority.
In contrast to the plan approval procedure, the mining law procedure is a continuous
procedure which is carried out parallel to mine operation. It ends with the shutdown of the
mine and, if necessary, the re-cultivation of the premises.
89
2.4. QUALITY ASSURANCE, PERFORMANCE REVIEWS AND SELF-ASSESSMENT
IN THE REGULATORY BODY
2.4.1. Quality assurance
2.4.1.1. IAEA criteria for quality assurance
Quality assurance plays an important role in regulatory activities. Quality assurance
programmes within utilities and their subcontractors and especially the implementation of these
programmes is of vital importance to nuclear safety. Simultaneously, the quality assurance
programme of the regulatory body itself and implementation of the programme are of great
importance. When studying the QA viewpoint of activities of regulatory body the same criteria
as presented for nuclear industries is a good starting point.
Article 13 of the Convention on Nuclear Safety [11] concerns quality assurance and
requires: “Each contracting party shall take the appropriate steps to ensure that quality
assurance programmes are established and implemented with a view to providing confidence
that specified requirements for all activities important to nuclear safety are satisfied throughout
the life of a nuclear installation.”
Basic objectives, concepts and principles to ensure the safety of nuclear facilities are
presented in the IAEA “Safety Fundamentals” [8]. The Safety Fundamentals document forms a
top level publication in the hierarchy of the IAEA Safety Series. Some of those issues concern
quality assurance like:
“Quality assurance practices are an essential part of good management and are to be
applied to all activities affecting the quality of items, processes and services important to safety.
Inherent in the achievement of quality is the adoption of a quality assurance programme, which
includes the planned and systematic actions necessary to provide adequate confidence that
specified requirements are satisfied. Implementation of the quality assurance programme
involves managers, performers of tasks, and those responsible for verification and assessment of
the effectiveness of the programme. It is not a sole domain of a single group. However,
management has the key responsibility to ensure that the programme functions properly and to
establish and cultivate principles that integrate quality assurance practices with daily work
activities.”and
“Quality needs to be verified by a disciplined approach. Thus, quality assurance
practices include:
x
x
x
x
x
x
x
x
90
A detailed analysis of the objectives to be achieved;
An analysis of the tasks to be performed;
The identification of skills required;
The selection and training of personnel;
The use of appropriate equipment and procedures;
The use of document control and record systems;
The creation of a satisfactory working environment; and
A recognition of individual responsibilities.
The extent and type of quality verification need to reflect the safety significance and
nature of the individual tasks. Such verification methods include audits, checks and examinations to ensure that each task has been satisfactorily performed or that any necessary actions
have been taken. However, the basic responsibility for achieving quality remains with the
performer of the task, not the verifier.”
The other QA related criteria presented in the Safety Fundamentals Document are as
follows:
x Organizations engaged in activities important to safety shall establish policies that give
safety matters the highest priority, and shall ensure that these policies are implemented
within the managerial structure having clear divisions of responsibility and clear lines of
communication.
x Organizations engaged in activities important to safety shall establish and implement
appropriate quality assurance programmes that extend throughout the life of the
installation, from siting and design through to decommissioning.
x Organizations engaged in activities important to safety shall ensure that there are sufficient
numbers of adequately trained and authorized staff working in accordance with approved
and validated procedures.
x The capabilities and limitations of human performance shall be taken into account at all
stages in the life of the installation.
In accordance with the Safety Fundamentals document the quality assurance principles
shall be applied in all organizations engaged in activities important to nuclear safety.
More detailed IAEA Requirements are presented in [6]. The Requirements document
presents basic requirements and principles that in the light of experience and the current state of
technology must be satisfied to ensure adequate safety. The main objective is to place emphasis
on work results, recognising the responsibilities and contributions of managers, workers and
those who assess the quality of work. The purpose of this kind of performance-based approach
to quality assurance is to prioritise programme implementation and effectiveness, rather than
programme development and documentation.
Plenty of other regulations exist for quality assurance programmes (quality systems). A
series of ISO 9000 documents is a generally approved and largely used foundation. Further, the
regulatory bodies have their own requirements defined in national regulations and safety guides.
2.4.1.2. Quality assurance programmes
The quality assurance programme is a component of good management and is essential to
the achievement and assessment of high quality of products, services and work processes. To
ensure a proper implementation it is important that the quality assurance programme is tailored
to an organization by taking into account existing routines and specific features of the
organization. The requirements constitute the foundation of a comprehensive quality assurance
programme.
91
These basic requirements are divided into three functional categories:
x
x
x
Management.
Performance.
Assessment.
2.4.2. Performance reviews — IAEA IRRT services
2.4.2.1. Purpose
The International Regulatory Review Team (IRRT) service provides advice and
assistance to member states to strengthen and enhance the effectiveness of their nuclear safety
regulatory body [18].
2.4.2.2. Objective
The key objective of an IRRT mission is to enhance nuclear safety by:
x Providing the host country (regulatory body and governmental authorities) with an
objective review of their nuclear regulatory practices with respect to international
guidelines;
x Providing the host regulatory body with recommendations and suggestions for
improvement in areas where their organization or performance can be improved or falls
short of internationally accepted practices;
x Providing key staff at the host regulatory body with an opportunity to discuss their
practices with experts who have experience of other practices in the same field;
x Providing all member states with information regarding good practices identified in the
course of the review; and
x Providing experts from member states and the IAEA staff with opportunities to broaden
their experience and knowledge of their own field.
2.4.2.3. Scope
An IRRT mission can review following topics:
x
x
x
x
x
x
x
x
x
x
x
92
Legislative and governmental responsibilities;
Authority, responsibilities and functions of the regulatory body;
Organization of the regulatory body;
Authorization process;
Review and assessment;
Inspection and enforcement;
Development of regulations and guides;
Emergency preparedness;
Radioactive waste management and decommissioning;
Radiation protection, and
Transport safety.
2.4.2.4. Experience
The IRRT service was inaugurated in 1989 and four missions were completed in the
period to 1994. Since 1997 there has been a much greater demand for the service and during
this period missions to Bulgaria, Romania, Slovakia, Ukraine, Switzerland, Slovenia, Czech
Republic, Finland, Hungary and China were completed. Pre-IRRT missions to Viet Nam and
Indonesia have also been completed. There is now a very high demand for the service.
Although the service started with a focus on regulations for NPPs, most missions now include
reviews of regulations in the areas of radiation, radioactive waste and transport safety.
2.4.2.5. Recent developments
The experience gained during the completed missions and the new Safety Requirements
Document on Legal and Governmental Infrastructure have been used to revise and update the
IRRT guidelines. Recent work has concentrated on developing the guidelines for the review of
radiation safety, radioactive waste management and the interface between the regulatory body
and the operator. Follow-up visits are envisaged in the future.
2.4.3. Quality assurance and self-assessment in the regulatory body — an example
The basic elements of the quality assurance programme presented in 2.4.1.2. For the
internal QA programme of the regulatory body are reflected in the following country specific
example STUK (Finland).
2.4.3.1. Management
Nuclear Energy and Radiation Protection Acts and Decrees as well as the Decree on
STUK define the regulatory framework in Finland. They also set our objectives and basic duties
in the legislation. General safety requirements are given in the Decisions by the State Council
(i.e. Cabinet of Ministers). Detailed technical and administrative instruction relative to the
design, construction, commissioning and operation of nuclear power plants are given in the YVL
guides published by STUK. These guides form a practical basis for the regulatory work.
Through the YVL guides STUK transfers the legislative requirements to the practical control
and inspection related requirements. In addition to the YVL guides STUK has internal guides
which define administrative and inspection related practices.
The quality assurance programme of Radiation and Nuclear Safety Authority (STUK)
consists of many duties and work processes which are defined in several STUK manuals and in
the department specific YTV manual. In addition to the legislation and YVL guides work
practices are defined in the manuals as follows:
x
x
x
x
x
STUK quality manual;
Administration manual;
Financial administration manual;
Emergency preparedness manual;
Communications manual.
All of these manuals were established by examining legislation, and considering the
expectations and needs of main counterparts. Co-operation modes, requirements for the nuclear
93
YVL guides. The YTV quality manual and the emergency preparedness manual are the main
internal documents which regulate actions of regulatory control within the department of nuclear
reactor regulation. The organizational structure and individual job descriptions of the nuclear
safety control are included in the YTV quality manual.
Training and qualification
There are training procedures in the YTV quality manual and training manager position
in the organization. The inspector training programme has been developed and implemented.
Necessary knowledge and skills for performing the duties have been identified. Staff selection
methods exists [19].
Document control and records
All information exchanged between the regulatory body, other governmental bodies,
the operator, its contractors, advisory committees and the regulatory body's consultants and as
appropriate, members of the public should be formally recorded upon receipt and stored in a
manner that allows for easy retrieval. It is particularly important that documents related to
enforcement action can be accessed when required.
There is an act controlling archives of governmental organizations. This act requires that
each organization must have an archive rule defining necessary activities in registration. It is a
folder containing the rule and following appendixes: structure of the register, list of documents
which are not registered, registration, detailed structure of the register, handling of secret
documents, borrowing of a document from the register, organization, job descriptions, fees of
copies, protection of documents, destroying of documents. Concerning nuclear power plants
there is a separate substructure for each NPP containing the following headings: NPP
administrative control, licensing document control, NPP systems, components and structures
according to a system list, trial tests, control of operations of NPP (reports etc.), nuclear fuel,
nuclear material, nuclear waste. All these materials are kept permanently, NPP procedures are
kept when they are still valid. After the decommissioning of NPP these documents will be sent
to the national archives for research purposes. There are some documents which are kept until
decommissioning and then 5% of the annual documentation will be sent to national archives.
2.4.3.2. Performance
The YTV quality manual includes also procedures to define safety performance
objectives as well as annual performance objectives as part of longer term strategy. Working
methods which stress quality and satisfactory working environment as well as relationships
with the customer groups are also included.
When applied to the operating NPP’s, regulatory control contains assessment and
inspections which can be divided in three categories as follows:
x
x
x
Periodic inspections as specified by STUK in plant specific programmes;
Topical inspections to be requested by a plant owner on a basis of YVL guides;
Safety re-assessment.
The inspections contained in the periodic inspection programme are focused at safety
significant functions and processes applied by the utility. The control aims to ensure
94
compliance with the regulations and the plans and programmes approved by STUK, and to
assess the appropriateness of the utility activities.
Nuclear power plant operation includes activities which can be implemented only after
STUK’s approval of the activity has been granted. The approvals are tied to preceding
inspections. It is also verified afterwards that the implementation complies with the plans and
meets possible regulatory conditions. Requirements and obligations which apply to
inspections of different topics are presented in the YVL guides.
The important inspections which the operating organization is obliged to request are
the inspections of repairs and modifications. For all the repairs of failed safety significant
components, as well as for all modifications of the safety systems the operating organization
has to present their plans in advance for STUK approval. The plan has to include technical
documentation as needed to verify the acceptability of the functional features, structure, and
materials of the repaired or new equipment. Also the repair or installation method, quality
control, and tests after the work have to be presented. When the work has been completed, the
operating organization has to ask for construction and/or commissioning inspections.
The safety level of the nuclear power plant is re-assessed after any abnormal event, and
the need for corrective measures is considered. To ensure a systematic analysis of the event
and its causes, an investigation team by STUK is nominated. The team has to find out root
causes of equipment failures and human errors and weaknesses in the performance of the
operating organization as a whole. At the end the team has to present a report including
recommendations for corrective actions, intended to prevent re-occurrence of similar events.
A similar parallel activity is required from the operating organization, and it has to submit its
special report for regulatory approval. A thorough evaluation of the situation at the Finnish
plants is also done if an event reported from a foreign nuclear power plant is suspected to be
of such a nature that it might as well occur in our country.
Besides feedback from the operating experience, safety re-assessment is done on the
basis of PSA studies and in view of new information gained from safety research programmes.
Periodic safety reviews are also carried out, e.g. when operating licences of NPP’s are
renewed.
In addition to the regulatory control of nuclear power plant operation, STUK maintains
its preparedness to act in plant emergencies. In an emergency, STUK is the authority
controlling accident management and an expert body providing assistance to the authorities in
charge of the rescue services.
2.4.3.3. Assessment
The regulatory body should have a system to audit, review and monitor all aspects of
its activities such as inspection and enforcement activities to ensure that they are being carried
out in a suitable manner and that changes to them that are needed, due to improvements in
techniques or otherwise, are implemented. This system should consider among other matters,
in the case of inspection and enforcement:
x
x
Inspection guidance and inspection methods;
Inspection resource allocation;
95
x
x
x
x
x
Procedures within the regulatory body in relation to inspection activities e.g. planning of
inspections;
Procedures for co-ordination of inspection activities with the review and assessment
process;
Procedures for involving consultants in inspection activities;
Recording of documentation;
Procedures related to enforcement actions.
Effectiveness of the regulatory activities is assessed through normal everyday
supervision and through periodical self-assessment reviews where management, organization,
work methods, quality of work, communication, human aspects etc. are handled through some
systematic review method and where there is a possibility to get feedback internally or from
other organizations. Some outside organizations can be used also for independent assessment
such as IAEA IRRT services to review regulatory activities.
For example in STUK self-assessment project was carried out in 1995–1997. The
criteria set for the Finnish quality award (see Table VIII) were used as model in this
assessment and via this process strengths and weaknesses of our working methods were
identified and relationships with our customer groups were also handled. Topics included
leadership, management and analysis of information and data, strategic planning, human
resource development, process management, results of performance, customer focus and
satisfaction, society and environment related influence. The method is mainly intended for
commercial companies but can be used also in analysing governmental organizations. This
project provided good information for future development. Also work environment
evaluations carried out by external companies as well as communication training sessions
have been organized for improving working conditions and atmosphere.
The periodic inspection programme is reviewed annually through feedback gained
during the previous year. The organizational units and individuals are reviewed through
performance appraisals annually or more frequently. Guides and procedures are reviewed once
in four years and then new developments and work methods can be written in the new
revisions.
The IAEA IRRT mission was carried out in STUK in March 2000. The resulting report
is provided through STUK Internet home pages.
2.5. PROFESSIONALISM AND TRAINING OF REGULATORY BODY STAFF
What is meant by professionalism in an inspector’s work? How can professionalism be
developed? These are the key questions for this Section. Inspectors are proud of their
profession. To develop professionalism it is essential to realize the essence of the job. For
supervisors and training co-ordinators this is particularly important because they transmit their
own performance and behaviour through the training they offer to newcomers.
What is professionalism? It is clear that professionalism means competence in terms of
knowledge and skills, education and experience. But this is not enough. Inspection and
assessment must be conducted in an independent and objective manner. Inspectors are not
power company people, nor are they opponents of nuclear power. They perform independent
96
inspection work according to the guidelines, procedures and criteria in an objective manner.
They communicate in a business-like manner, which means that communication is pertinent
and systematic. Because they are inspectors they have a questioning attitude. They do not
assume too much, they ask for explanation and clarification from licensees and their
representatives. They know this phrase “questioning attitude” also from the safety culture
discussions, and they can help to promote safety culture through their questioning attitude.
Last but not least their appearance, fitness and behaviour is in accordance with the expected
behaviour norms. They have learnt that unsuitable appearance and behaviour may ruin their
chance of reaching their goals. This applies also to their inspection work. They affect their
counterparts through their appearance and behaviour and may improve their possibilities to
carry out inspection and to get better response to their findings.
The inspector understands his/her role and duties and knows his/her rights, obligations
and responsibilities. The inspector knows his/her powers in inspection work. The inspector
has his/her priorities in the right order where nuclear safety is concerned.
TABLE VIII. SELF-ASSESSMENT OF STUK ACTIVITIES. THE CRITERIA OF THE
FINNISH QUALITY AWARD COVER THE FOLLOWING ELEMENTS:
Results of performance
x Product and service quality results;
x Company operational and financial results;
x Supplier performance results.
Customer focus and satisfaction
x Customer and market knowledge;
x Customer relationship management;
x Customer satisfaction determination;
x Customer satisfaction results;
x Customer satisfaction comparison.
Leadership
x Personal leadership of top management;
x Leadership system and organization.
Management of information and analysis
x Management of information and data;
x Competitive comparisons and benchmarking;
x Analysis and use of company level information and data.
Strategic planning
x Strategy development;
x Strategies and action plans.
Human resource development and
management
x Human resource planning and evaluation;
x High performance work systems;
x Employee education, training and
development;
x Employee well-being and satisfaction;
x Results of employee development and
management.
Process management
x Design and introduction of products and
services;
x Product and service production and delivery;
x Support services;
x Management of supplier performance;
Society and environment related influence
x Responsibility for the society;
x Management of environmental issues;
x Results of environmental management.
97
2.5.1. Regulatory role and duties
In the following the Radiation and Nuclear Safety Authority (STUK) is used as an
example to clarify the matter. In different countries there are different governmental practices
that must be taken into account if applying the ideas. The philosophy of governmental
regulatory body (STUK in Finland) is as follows:
x
x
x
x
x
The use of radiation and nuclear energy are useful but potentially dangerous activities;
The government needs to find out the acceptability of the activity from the point of view
of the society and to ensure safety as well as to control the activity;
For this, the parliament passed the law establishing the STUK and giving the rights and
necessary sanctions to the STUK;
Then the STUK decides what is right on the basis of powers received from the
parliament.
An inspector’s role and duties in STUK in Finland are as follows:
The inspector is a civil servant of the Finnish government;
The legislation (Nuclear Energy Act) defines the specific role of the Inspectorate, e.g.
the Inspectorate defines safety requirements and the inspectors verify by inspections
the fulfilment of safety requirements;
The Inspectorate also has a specific role in emergency preparedness.
Other laws like pressure vessel and radiation protection laws increase the role of the
STUK compared to some other western regulatory bodies.
The Nuclear Energy Act defines specific duties of the Inspectorate:
x
x
x
x
x
x
x
x
Handling of permit applications;
Control of conditions of permits and specification of detailed requirements;
Set safety requirements;
Control of fulfilment of safety requirements;
Set conditions for the persons involved in the use of nuclear power and study the
fulfilment of the conditions;
Give expert assistance to other authorities;
Perform necessary research and participate in the international co-operation;
Refer to decisions and give statements on the base of control.
STUK publishes the regulatory requirements in the form of regulatory guides called
YVL guides. The guide YVL 1.1 “STUK as the regulatory authority for the use of nuclear
energy” [16] presents the forms of control and inspections made by the STUK. For a specific
inspector the duties are defined in the job description.
2.5.2. Rights
According to the Nuclear Energy Act the inspector has the following rights:
x
x
x
x
98
He/she has access to the place of inspection;
The inspector can inspect, measure and get samples;
He/she gets necessary information and documents, plans and agreements;
He/she can give orders, require settlements and reports and have research made.
2.5.3. Obligations
In his/her work the inspector must note the following obligations:
x
Principle of law. In regulatory work we must follow the law; we know the law and the
subject matter; we know how to act and what kind of rights we have; we act without
delay in an open, correct and honest way.
x
Principle of equality. All citizens and organizations must be dealt with equally. In similar
cases there should be similar solutions. This means that we know possible solutions and
the solutions already used. The YVL guides define in many cases the main guidelines.
Supervisors must ensure that these are followed. We are open and honest.
x
Principle of correct aims. When considering a solution it is not acceptable to promote
other goals than what is the case.
x
Principle of proportional sanctions. Sanctions must be in right relationship to an offence.
Seriousness of an offence is considered on the base of safety importance: we do not shoot
a fly with a gun.
x
Principle of objectivity. The regulator must be objective and correct. If one is disqualified
he must pass the matter to another person. Independence is necessary in regulatory work.
A published general attitude may affect the believing on one’s objectivity.
x
Principle of effectiveness. The taxpayers pay the final bill. We must be careful when
using public money; we must work with important matters and our actions must not
consume too much time.
x
Principle of publicity. Generally matters are public. The regulator must be open if the law
does not say otherwise. Openness means speed in publishing and correct content. Keeping
something secret presumes a decision. Documents under preparation are non-public and
STUK may consider if it gives information. There are three reasons for secrecy of
documents: threat of illegal activity (terrorism), trade secret and protection of privacy.
2.5.4. Responsibilities
In law the inspector has the following responsibilities:
x
Disciplinary responsibility. The inspector must act according to his/her duties. In the case
of failure there are sanctions as warning, dismissal for max. six months or final dismissal;
x
Responsibility of criminal legislation. Criminal law mentions e.g. the following
responsibilities that concern government officials: bribe offence, offence against secrecy
of documents and misuse of one’s office;
x
Responsibility for compensation of loss. If the inspector causes economic loss to the
counterpart because of failure in one’s duties caused by purpose or by grave error or by
neglect of duties the employer carries the responsibility in the first place but the
responsibility may apply to the inspector later. There is also a principle of moderation to
99
be applied in this kind of cases. As an example a serious case in this respect may be if the
regulatory body (representative) orders the plant to be shut down without reasonable
safety importance.
2.5.5. Relationships with the power company
Relationships with the licensee should be clear. An atmosphere of confidence and
respect should prevail between the two parties. One should remember that a plant manager has
full responsibility for the plant safety. The regulator ensures that operator fulfils this
responsibility. Therefore the inspector gets all the information and documents needed for
assessment and has right to inspect. It is always good to give an operator a chance to comment
and propose a solution for the problem.
If needed the regulator has tools for enforcement. E.g. STUK has strong tools at its
disposal. However, the strong enforcement tools have not been used in practice. We think that
for achievement of a high safety level it is better to motivate people to do good work, rather
than to threaten them by fines or other penalties. Especially we want to avoid charges against
individuals who have committed errors by mistake or due to shortcomings in training and
information provided to them. It is also recognised that the use of legal or monetary penalties
does not resolve the structural root causes of the problems. Experience has shown that a very
effective way of enforcement is public information about abnormal events at the nuclear
power plants.
2.5.6. Professional behaviour
How should a professional inspector behave? The inspector conducts inspection and
assessment independently and in an objective manner. One listens to licensee representatives
carefully so that he/she understands information properly. The inspector communicates in a
pertinent and systematic manner. He/she uses moderate language in oral and written
communication and avoids extreme expressions. One knows how to handle proprietary
information. The inspector avoids negative attitudes and he/she tries to promote safety culture
with positive attitudes.
2.5.7. Inspection/auditing techniques
Inspection/auditing techniques are a special skill the inspector must have if he/she is
going to perform inspections successfully. In the following some key ideas are presented to
stimulate your imagination. A suitable technique depends on the type of inspection. Your
successful ideas and techniques should be discussed with your colleagues because through
experience we learn these things.
There are several methods for acquiring information: review of written material,
interviews with personnel, direct observation of performance, status and activities,
independent testing. Before inspection one must decide what written information to read
before going to the plant and what during the inspection/audit. At the beginning of inspection
the inspector establishes a good communication with the licensee representative and gives the
general overview on the inspection. The inspector takes control of inspection activities: is well
prepared; does not assume but asks questions, takes detailed notes, and adheres to plant rules.
When performing the inspection one pays attention to detail and gets to the root cause of
100
problems; one verifies and evaluates findings and searches for objective evidence; one should
take bigger sample if he/she is unsure of problem scope or existence.
When interviewing people one asks open questions avoiding “yes” or “no” answers,
e.g. by using words how, who, what, when, why, show me and he/she listens the answers
carefully. The inspector does not reveal his/her opinion of the answer and does not compare
different organizations. One does not disagree between the team members during the
interview and one admits if his/her question is beyond the level of his/her knowledge. The
inspector is objective and shows rather positive attitudes than negative and arguing attitudes.
If the inspector finds deficiencies he/she gets admission from the licensee representative.
Professional attitude in inspection is that the inspector tries to find problems and areas
for improvement but leaves finding of solutions to the power company.
2.5.8. Inspection philosophy
It is important for the regulatory body to define inspection philosophy — to formulate
some kind of inspection programme. In Finland the nature of the inspection programme has
been defined in the YVL-guide 1.1. In different countries the inspection philosophy varies
somewhat. What functions well in a small country may not be applicable in a big country and
vice versa. Therefore it is useful for the inspector to exchange information with colleagues
from other countries to get new ideas for developing inspection practices in one’s own
country. E.g. there is a working group of inspection practices (WGIP) of the
OECD/NEA/CNRA for this kind of information exchange among OECD countries and it has
published some useful documents in this respect e.g. presenting the inspection philosophy,
organization and practices in different countries [15].
Inspectors should also have some tools to prioritise inspection work. A safety
classification document is a useful tool in this respect. Use of PSA is also used increasingly to
prioritise inspections. We are nuclear safety inspectors. Therefore the most important
viewpoint in inspection for us is nuclear safety viewpoint. From a philosophical point of view
the application of basic principles of defence-in-depth concept are central. Inspectors should
know the concept so well that he/she even by instinct covers the key points in his/her
inspection work. Application of the concept is a good sign of the right safety culture attitudes.
Starting from the basic principles of “defence-in-depth” thinking, we should
concentrate on the following three lines of defence in our inspection work:
x Prevention of failures.
x Monitoring or detection of failures.
x Making sure that failures cannot recur and mitigation of consequences of failures.
Specifically, when operations, maintenance and technical support of NPPs are
concerned. Each of these topics leads to more detailed sub-items depending on the topic such
as:
x For prevention: are there proper procedures and are they used, preventive maintenance
programmes, tools and working conditions, briefing and training, QA etc.;
101
x For monitoring and detection: are there proper alarms and alarm procedures, surveillance
programmes, testing procedures and criteria, testing lines and measuring devices etc.;
x For experience feedback and mitigation: are there proper operational feedback systems
and methods, component repair and reliability histories, reactor protection system
response, incident procedures, accident management procedures, etc.?
When the organizational and safety culture aspects are considered the following key
items should be considered:
x Policy level commitment.
x Managers’ commitment.
x Individuals’ commitment.
Also in this case each of these topics leads to more detailed subitems to be considered
such as: is there a proper safety policy statement, where are the safety topics handled in the
documentation (policy level, QA manual, Tech. Specs, respective procedures); what is
management and individuals’ opinion on the subject matter: what have they done to minimise
the risk, do they support the finding, what are they going to do to improve the situation, why it
was possible that the inspector made the finding before they realised the unsafe situation, how
often unsafe situations appear, how often inspectors make these findings etc.
Our questions and review should be directed in such a way that these aspects will be
covered if they are applicable in the inspection in question. If our work reflects these aspects
systematically we have good opportunities to promote nuclear safety and safety culture
through our work.
2.5.9. Maintaining competence
How does a professional inspector maintain competence. One follows the development
in his/her technical field of speciality. One keeps up to date with changes in regulatory policy
and practices. One develops his/her skills in inspection and assessment to the highest level for
being able to develop practices and not only to perform routine work.
If this is your goal how do you organize the matter?
2.5.10. Training of inspectors
One of the central prerequisites for professionalism is competence i.e. knowledge,
skills and attitudes needed for the job in question. The IAEA Requirements for Governmental
Organization say that a regulatory body shall ensure that its staff members participate in welldefined training programmes. Continuing training is also required. For well-defined training
programmes the regulatory body needs training administration as well as initial and
continuing training. Table IX shows the basic elements of regulatory training programme [19].
Organization of training depends on the size and resources of the regulatory body. A
small and inexperienced regulatory body needs external international support. A large and
experienced organization may be self-sufficient. In any case international information
exchange is needed for continuing training to get fresh and new ideas for further development.
Examples of regulatory competencies and training activities in a regulatory body are given in
[20].
102
TABLE IX. ELEMENTS OF REGULATORY TRAINING PROGRAMME
Basic knowledge
x Familiarization with the law and radiation and
industrial safety;
x Nuclear safety principles and safety culture;
x Plant and systems knowledge;
x Accident analysis and emergency planning;
x QA and organizational matters.
Professional knowledge
x Regulatory control;
x Assessment skills;
x Inspection skills;
x Job specific training courses;
On-the-job training.
Communication and management skills
x Effective writing skills;
x Interviewing skills;
x Negotiation skills;
x Leadership and team work skills.
Continuing training
x Refresher training;
x Further personal development;
x Information exchange and international cooperation.
For the well-defined training administration training manager/coordinator as well as
training policy and necessary training procedures are needed. Job descriptions are needed for
preparing systematic, job specific and individual training programmes. Furthermore training
courses, facilities and training materials should be established. In addition to training courses,
a systematic approach by using individual on-the-job training guidelines is needed. A good
model is provided by the OECD/NEA/CNRA/WGIP through its inspector qualification
guidelines [21].
3. ASSESSMENT OF SAFETY
3.1. IAEA GUIDANCE FOR REGULATORY REVIEW AND ASSESSMENT2
Review and assessment is one of the regulatory body’s principal functions. The size
and composition of the regulatory body, including consultants and advisory committees,
reflect the extent and nature of the facilities that it regulates and may also vary depending on
the phases of the facilities’ life-cycle.
When using consultants, the regulatory body carefully defines the terms of reference
for the review and assessment. Consultants possess a clear understanding of the regulatory
body’s safety objectives. The regulatory body has permanent staff with sufficient competence
to manage the work of consultants and to evaluate the quality and results. The use of
consultants shall not relieve the regulatory body of any of its responsibilities. In particular, the
regulatory body’s responsibility for making decisions and recommendations shall not be
delegated.
2
INTERNATIONAL ATOMIC ENERGY AGENCY, Review and Assessment of Nuclear Facilities by the
Regulatory Body, GS-G-1.2 (in press).
103
The basic objective of review and assessment is to determine whether the operator’s
submissions demonstrate that the facility complies throughout its lifetime with the safety
objectives, safety principles and safety criteria stipulated or approved by the regulatory body.
The specific objectives of the review and assessment depend on the stage of the lifetime of the
facility. Examples of these specific objectives are presented in Table X.
TABLE X. EXAMPLES OF SPECIFIC OBJECTIVES OF REVIEW AND ASSESSMENT
x To determine whether an operator has the ability and resources to discharge its obligations
associated with any authorization granted for any stage of the lifetime of the facility.
x To determine whether the chosen site is suitable for the proposed facility, account being taken of
the site–facility interaction and, anticipated changes to the site environment during the proposed
period of operation, and to recommend to the appropriate authorities requirements on the site
surroundings that may be considered necessary by the regulatory body.
x To determine, before manufacture, construction, installation or decommissioning, whether the
design related, operational or decommissioning related proposals in relation to the facility, and
other operator statements and commitments, meet the regulatory body’s requirements, and to
impose any further conditions or requirements that may be considered necessary by the regulatory
body.
x To determine whether the commissioning test programme is complete and contains a well defined
set of operational limits, test acceptance criteria, conditions and procedures; whether the
commissioning tests can be safely conducted; and whether the test results are adequate for
confirming the adequacy of all safety related features of the facility.
x To determine whether the operator has a safety management system that meets the regulatory
body’s requirements.
x To determine whether the operational limits and conditions are consistent with the regulatory
body’s requirements, the operational characteristics of the facility and the state of knowledge and
operational experience, and whether an adequate level of safety is maintained.
x To determine whether the operator’s personnel, in terms of both number and competence, meet
the regulatory requirements at all phases of the life-cycle of the facility.
x To determine whether proposed modifications to the facility have been conceived and
implementation planned so that safety is not compromised.
x To evaluate safety reviews performed by the operator including performance indicators.
x To determine whether the operator’s statements and commitments regarding decommissioning
and closure meet the requirements of the regulatory body.
The review and assessment is primarily based on the information submitted by
operator. For the thorough review and assessment of the operator’s technical submission
regulatory body acquires an understanding of the design of the facility or equipment,
safety concept on which the design is based, and the operating principles proposed by
operator. The regulator satisfies itself that:
104
the
the
the
the
x The available information demonstrates the safety of the facility or proposed activity;
x The information contained in the operator’s submissions is accurate and sufficient to
enable verification of compliance with regulatory requirements; and
x The technical solutions, and in particular any novel ones, have been proven or qualified by
experience or testing or both, and are capable of achieving the required level of safety.
The regulatory body prepares its own programme of review and assessment of the
facilities and activities under scrutiny. The regulatory body follows the development of a
facility or activity, as applicable, from initial site selection through design, construction,
commissioning and operation to decommissioning. Much of the review and assessment will
be connected with specific stages of the authorization process and the depth and content will
vary accordingly. Co-operation of the operator is essential to ensure that review and
assessment can be carried out in an effective and informed manner.
Management of the review and assessment within the regulatory body is an important
part of the process. It includes planning, preparing guidelines, developing competence and
necessary tools for review and assessment, co-ordinating information exchange and activities
internally and externally, keeping a log on documents and actions, making arrangements for
liaison with consultants and advisory bodies, monitoring the progress, collating and
disseminating the overall findings and reporting the results of review and assessment.
3.1.1. Safety objectives and safety requirements for review and assessment
Safety objectives and basic safety requirements specify safety goals or protection
levels of performance to be achieved at the facility. However, the regulatory body does not
prescribe specific designs, safety management systems or operational procedures. Safety
objectives and safety requirements may be developed by the regulatory body itself or adopted
from safety objectives and safety requirements developed and published by regulatory bodies
in other Member States or by international organizations. If these are to be adopted, a good
understanding of their basis and use in other Member States should be acquired, and
adaptation may be necessary for specific purposes.
In formulating the content and structure of the safety objectives and safety
requirements to be used in its review and assessment process, the regulatory body may
consider a broad range of sources. Examples of these sources are:
National laws and regulations;
The requirements and experience of relevant national industries;
Technical results and experience of research and development;
Expertise and requirements used by other persons and bodies involved in reviewing and
assessing similar facilities with respect to technology or safety implications;
x Advice obtained from consultants and advisory bodies associated with the regulatory
body;
x Nuclear, radiation and waste safety standards and guidance as well as other information
published, by national and international organizations.
x
x
x
x
105
The regulatory body has a clear understanding, at all stages of the authorization
process, of the basic safety objectives and safety requirements that will be used for review and
assessment. As far as is practicable, these basic safety objectives and safety requirements are
communicated to the operator for guidance in preparing its documentation.
3.1.2. Areas for review and assessment
This section outlines the areas of review and assessment. A list of the topics to be
considered in a review and assessment process through out the life-cycle of a nuclear power
plant is given in 3.2. It is important to note that the safety argument presented by the operator
should at all phases deal with the full range of topics to an appropriate level. At all stages the
operator demonstrates that it is in control of the facility and has adequate organization,
management, procedures and resources to discharge its obligations and as appropriate, its
liabilities.
Site evaluation
In considering an application for siting, the regulatory body will tend to concentrate on
characteristics of the site and, as appropriate, the interaction between the proposed facility and
the site. Site selection for many facilities is initially determined by processes not greatly
influenced by highly prescriptive criteria. However, general national policy requirements
concerning remoteness, local population density and transport arrangements apply.
In all cases, the site of the facility is qualified by review and assessment to determine
potential interaction between the proposed facility and the site, and the suitability of the site
from the point of view of safety. This site review and assessment may be performed in parallel
with the design review and assessment or, as in some member states, may be performed at an
earlier stage. Areas of review and assessment that are of particular significance are the impact
of the local environment, natural and human made on the facility’s safety and the demands
that the facility will make on the local infrastructure.
Design, construction, manufacture and installation
Before authorization of construction of the facility, review and assessment will be
concentrated on the operator’s approach to safety and safety standards and how these have
been applied in developing the design. Features such as the physical layout and building of the
facility and the key process elements and expected radiation doses should be clearly
understood and their effect on the safety of the facility throughout its lifetime are assessed at
the design stage. In addition, before authorizing construction, the regulatory body reviews and
assesses the operator’s arrangements for control of construction, manufacture and installation
activities. Once construction has started, many features of the design can be changed only with
great difficulty and at high cost.
Review and assessment of the design will continue during construction, manufacture
and installation, as the details become finalized. Changes to the authorized design in this
phase are analyzed by the operator and reported to the regulatory body which carries out the
necessary review and assessment.
106
Commissioning
Commissioning can be considered in two stages: inactive, before fissile material is
introduced, and active, after fissile material is introduced. Clearly the radiological risks only
arise after the second stage has been started and therefore it is normal to make the start of this
stage a major step in the regulatory authorization. Both stages of commissioning are carried
out against a programme which has been reviewed and assessed by the regulatory body and is
capable of testing whether the as built facility meets the stated requirements.
The inactive stage of the commissioning is aimed at ensuring that the facility has been
constructed, manufactured and installed correctly and in line with the design documentations.
Where deviations from this have occurred they have been recorded and it has been shown that
the safety analysis has not been compromised. The results of inactive commissioning also
confirm the operational features of the facility and lead to the development of detailed
instructions for operators that will be confirmed during the active phase.
Active commissioning with the introduction of fissile material is a major step in the
authorization process. The review and assessment take into consideration the final or ‘as built’
design of the facility as a whole, the commissioning programme and its progress, the
organizational structure, the qualifications of operating personnel, emergency planning, the
preliminary operational limits and conditions, and the preliminary operating procedures.
Where there are deviations from the design parameters, the regulatory body reviews and
assesses additional analysis provided by the operator.
As the active commissioning processes move closer to completion, review and
assessment are concentrated on how the facility is operated and maintained, and on the
procedures for controlling and monitoring operation and responding to deviations or
occurrences. Before authorizing routine operation, the regulatory body reviews and assesses
the results of commissioning tests including correction of eventual non-conformances. The
regulatory body reviews and assesses any proposed changes to the operational limits and
conditions.
Operation
For routine operation the regulatory body requires the operator to report regularly on
adherence to safety objectives and compliance with specified regulatory requirements, and on
efforts made to enhance safety. The regulatory body reviews and assesses the reports and
performs inspections to confirm whether compliance with safety requirements is maintained
and whether the facility is able to continue in operation.
While the need for reassessment may arise in a number of ways, systematic safety
reassessments termed periodic safety reviews (PSRs) need to be carried out by the operator at
intervals to review the cumulative effects of ageing of the facility and of modifications, and
the implications of operating experience and technical developments. The objective is to
assess the facility against current safety requirements and practices and to determine whether
adequate arrangements are in place to maintain its safety. When a review shows that the
facility does not meet current safety requirements, the significance of the shortcoming is
assessed and the possibilities of meeting the requirements are considered. The PSR enables
the regulatory body to judge whether it is acceptable for the facility to continue to be operated
until the next PSR is carried out.
107
Decommissioning
Review and assessment of decommissioning covers the decommissioning plant and the
procedures and methods to be applied, the anticipated doses, the maintenance of safety and the
final state of the facility at the end of decommissioning. An area of particular significance is
the safe management of the radioactive waste generated.
3.1.3. Review and assessment methodology
The review and assessment process is a critical appraisal, performed by the regulatory
body, of information submitted by the operator to demonstrate the safety of the facility.
Review and assessment is undertaken in order to enable the regulatory body to make a
decision or series of decisions on the acceptability of the facility in terms of safety. Decisions
relating to safety are based on the review and assessment of the operator’s submissions, the
studies and evaluations performed independently by the regulatory body itself, and the safety
objectives and specific safety requirements established by the regulatory body. These safety
objectives and safety requirements will themselves be founded on the existing knowledge as
represented by the technological developments in all pertinent fields. Decisions of the
regulatory body should reflect professional judgement by technically competent persons on
the bases of requirements and operational experience throughout the review and assessment
process.
Review and assessment includes consideration of both normal operation and failures,
faults, and events, including human errors that have the potential for causing the exposure of
workers or the public or subjecting the environment to radiation hazards. This safety analysis
is as complete as possible and one of the initial tasks of the review and assessment is to
confirm its completeness. The review and assessment process includes checks on the actual
situation at the site and elsewhere to validate the claims made in the submissions. Operators
often have external peer reviews conducted for them by national or international
organizations. The results of such reviews, if available, could provide the regulatory body
with additional insight to the activities of the operator.
3.1.3.1. Review plan for operator’s submissions
The operator is responsible for submitting documentation in support of its application
for authorization. At each stage of the authorization process the operator will be required to
demonstrate to the satisfaction of the regulatory body that the facility can be sited, designed,
constructed, commissioned, operated, decommissioned or closed without giving rise to undue
radiation hazards to workers, the public and the environment. Any modification to safety
related aspects of a facility or activity is subject to review and assessment, with the potential
magnitude and nature of the associated hazard being taken into account.
For more important submissions by the operator (e.g. safety analysis report) it may be
useful for the regulatory body to perform an acceptance review of the documentation. As a
result of this acceptance review, an application or submission that is grossly deficient in
certain areas is returned to the operator for correction prior to re-submittal.
108
In carrying out a review and assessment of an operator’s submission the regulatory
body employs a systematic plan to provide assurance that all topics significant to safety will
be covered and that operators with similar facilities are treated equally. This plan includes a
series of procedures that the regulatory body follows for all aspects and topics covered by the
submission in order to identify those items for which applicable safety objectives and
requirements have been met and those for which they have not. An outline of such plan could
be:
x Definition of the scope of the review and assessment process;
x Specification of the purpose and technical bases for the review and assessment process
(these could be considered as acceptance criteria);
x Identification of the additional information needed for the review and assessment;
x Performance of a step by step review and assessment procedure to determine whether the
applicable safety objectives and requirements have been met for each aspect or topic;
x Making decisions concerning the acceptability of the operator’s safety arguments or the
need for further submissions.
Bases for decisions
The regulatory review and assessment will lead to a series of regulatory decisions. At a
certain stage in the authorization process, the regulatory body takes formal actions that will
result in either:
x
x
the granting of an authorization which, if appropriate, imposes conditions or limitations
on the operator’s subsequent activities; or
the refusal of such an authorization.
The regulatory body formally records the basis for these decisions.
At many stages during the review and assessment process decisions are taken on the
acceptability of various aspects of the facility. The nature of these will vary during the lifetime
of the facility and some will be associated directly with stages of the regulatory authorization
process. The regulatory body recognizes the basis for such decisions that take account of a
number of factors, important among these are:
x The extent to which the safety objectives and requirements have been met;
x The acceptability of the depth and detail of the operator’s submission, with the nature of
the facility and the magnitudes of the risks it presents;
x The state of knowledge concerning particular processes or effects;
x The confidence in the conclusions reached on the basis of the analysis of the situation.
109
These factors are an integral part of the review and assessment process and receive
special consideration in the documentation produced by the regulatory body. The decisions on
acceptability are taken against a background of safety objectives, precedents and judgements,
the basis for which should be clearly understood. The decision on the safety of the facility, for
example, will always be taken in the light of a requirement to fulfil certain obligations. These
will include operational limits and conditions and obligations in respect of maintenance
programme and the frequency of in-service inspection or acceptance criteria for radioactive
waste.
3.1.3.2. Conduct of review and assessment
The general aim of the regulatory review of safety analysis report, whether
deterministic or probabilistic, is to verify that for each identified barrier the safety measures
are sufficient to provide adequate assurance at the following levels:
x Prevention of failure of the barrier itself and prevention of failure of related systems
during normal operation and in fault conditions;
x Monitoring of any parameter significant to the integrity of the barrier, to allow initiation of
either manual or automatic actions in order to prevent any evolution towards an unsafe
condition;
x Safety action to prevent or limit the release of radioactive material if the barrier has failed;
x For certain applications and depending on the associated risk, mitigation of consequences.
From this analysis, the requirements on the systems, structures, components and
operations can be derived and compared with the provisions made by the operator. The review
and assessment by the regulatory body ensures that the operator has used the safety analysis to
determine these requirements and that the requirements are met in the equipment and
operational procedures. These requirements should cover also, among other things:
x
x
x
x
x
x
x
x
Application of the defence in depth principle;
Meeting the single failure criterion for safety related systems;
Requirements for redundancy, diversity and separation;
Preference for a passive over an active or operator based system for prevention and
protection;
Criteria relating to human factors and the human-machine interface;
Dose limits and amount of discharges to the environment and ALARA consideration;
Criteria for radiological risks to workers and the public;
Minimization and management of waste generated, including the future decommissioning
phase.
Structures, system and components
From this analysis, the requirements on the structures, systems, components (SSCs) and
operations can be derived and compared with the provisions made by the operator. The review
and assessment by the regulatory body ensure that the operator has used the safety analysis to
110
determine these requirements and that the requirements are met in the equipment and
operational procedures. Specific features that are subject to review and assessment include:
x Safety functions and classification of SSCs;
x Quality of engineered features in terms of good engineering practices or as set out in the
regulatory requirements;
x Control of the facility under normal and fault conditions, with account taken of automatic
systems, the human-machine interface and operating instructions;
x Quality assurance covering SSCs and operational aspects such as training, qualification
and experience of the operator’s personnel and the safety management system.
Organization and management
A well engineered facility may still not achieve the required level of safety if it is not
managed well. The review and assessment by the regulatory body, therefore, include
consideration of the operator’s organization, management, procedures and safety culture
which have a bearing on nuclear, radiation, waste and transport safety and the operation of the
facility. The operator demonstrates by documentary means that there is an effective safety and
the operation of the facility. The operator demonstrates by documentary means that there is an
effective safety management system in place that gives nuclear safety matters the highest
priority.
The review and assessment by the regulatory body cover all aspects of the operator’s
managerial and organizational procedures and systems which have a bearing on nuclear safety
such as: operational feedback; the development of operating limits and conditions; the
planning and monitoring of maintenance, inspection and testing; the production and revision
of safety documentation; and the control of contractors. The regulatory body also reviews and
assesses the operator’s procedures for the control and justification of changes to the operator’s
managerial and organizational procedures and systems that could have an impact on nuclear
safety.
Operational safety performance
The regulatory body reviews periodic reports submitted by the operating organizations,
in accordance with established requirements, to monitor the operational safety performance of
the facility. Additionally, reports on safety significant events are thoroughly reviewed by the
regulatory body to ensure that an effective operational safety experience feedback system is in
place, that no safety related event remains undetected, and that corrective measures are
adopted to prevent the recurrence of safety related events. At times, when the severity of the
event warrants it, the regulatory body may conduct an independent investigation, usually
through a team with appropriately selected areas of expertise, to ensure that the event was
adequately investigated, the correctness of identified root causes, the adequacy of the
implemented corrective and remedial actions taken. The review includes the identification of
lessons to be learned and the process of sharing the associated safety related information.
Radiological consequences under normal conditions
The assessment of routine operation is directed towards the determination of
occupational doses and discharges. These consequences will be compared with those limiting
111
requirements and safety objectives approved by the regulatory body, including meeting the as
low as reasonably achievable (ALARA) principle. The regulatory review and assessment of
the operator’s submission should determine whether it satisfies these requirements and
objectives. In the review and assessment, particular attention should be devoted to a number
of topics that influence the potential radiological consequence to workers, the public and the
environment during routine operation, which include:
x
x
x
x
x
Sources and inventory;
Occupational radiation exposure and other topics related to radiation protection;
Radiation protection of the public, with all pathways taken into account;
Radioactive waste management;
Discharge, dilution and dispersion of radioactive effluents.
Safety analysis of fault conditions
Consideration of fault conditions strongly influences the design limits for the safety
systems and for most structure, systems and components (SSCs) needed for the operation of
the facility. It will also strongly influence the operational instructions and procedures that
operating personnel should follow. In addition, the potential radiological consequences for
workers, the public and the environment in fault conditions may be much more severe than
those during routine operation. For this reason, the largest part of the review and assessment
effort may be expected to be directed to the safety analysis of fault conditions provided by the
operator. Safety analysis can be considered as two major steps:
x Identification of postulated initiating events (pies) and their frequencies; and
x Evaluation of how these pies develop and their consequences.
The method used for identification of the PIEs should be systematic, and auditable and
as complete a listing of PIEs as possible should be provided. An important feature of the
review and assessment process should be to consider whether the operator’s identification
method meets these requirements and the operator’s list of PIEs is acceptable as the basis for
the safety analysis.
PIEs can be grouped in various ways but a commonly used method is to separate them
into:
x External hazards, which are outside the control of the operator and may result from
naturally occurring or human-made causes, such as seismic, an aircraft crash or
explosions due to liquid inflammable gas transportation;
x Internal faults that result from inherent failures of the facility, such as mechanical or
electrical failures or loss of services; and
x Internal hazards that result from failures of systems which are within the operator’s
control but which are not directly involved in the process, such as fires or spillages of
corrosive material.
Consideration should also be given to human errors, which may be initiators in their
own right or which may exacerbate another fault.
112
It is usual to classify the PIEs identified according to their initiating frequency and the
potential consequences to which they could lead. The purpose of such classification is to
decide on the level and type of analysis that should be undertaken. The regulatory body should
decide which classification and PIE analysis it requires the operator to provide so that it can
decide whether its safety objectives and requirements have been met. The nature of the facility
and the potential magnitude of the risk it presents will affect these requirements, as well as
affecting the depth and detail of the subsequent analysis.
A typical classification, based on initiating frequency, would determine:
x PIEs that are of high likelihood should be analysed to show that the facility has a robust
tolerance of them, by the provision of safety systems or inherent behaviour tending to
restore a safe state, to prevent the release of radioactive material or limit such a release to
an acceptably low level;
x PIEs that are of low likelihood but that have such severe potential consequences (i.e.
unmitigated consequences) that the facility should have safety systems to prevent the
release of radioactive material or limit it to an acceptable level;
x PIEs which do not fall into these groups should also be analysed with the intention of
determining whether in totality they make an unacceptable contribution to the total risk,
whether the PIEs in the classes defined are at a threshold of escalation of consequences,
and whether the emergency arrangements are sufficient.
The regulatory body should determine the type of analytical considerations and
assumptions to be used in its review and assessment of the operator’s analysis, and should
check that these have been taken into account. It is often the case that for those PIEs which
may affect the design and provision of safety systems, or which affect the safety requirements
on engineering SSCs, a high degree of conservatism is required in the analysis to meet the
requirement of demonstrating that the safety of the facility is robust. This part of the safety
analysis should be coupled with consideration of the engineering and the operational practices.
The regulatory body, as part of its review and assessment, should ensure that all claims made
in the safety analysis for the performance of such systems are met in practice. Similarly, the
engineering systems should be qualified to meet the functional requirement for which they
were designed; for all situations and at all times, and with environmental conditions, ageing
and so on taken into account.
The analyses of fault conditions and long term safety are usually performed using
computer codes. The regulatory review and assessment should include a check that any data,
modelling or computer codes used in calculating either the performance of equipment under
the conditions indicated by the analysis or any radiological consequences are based on
sufficiently well founded knowledge and understanding, and that an adequate degree of
conservatism has been employed. As part of its review and assessment, the regulatory body
should ensure that the computer codes are based on well understood principles. Computer
codes should be validated against experience or experiment that the coding has been done
accurately and the input data have been correctly assigned. In many cases the codes will have
been used widely both nationally and internationally, and so it will be possible to consider
their verification and validity on a generic basis. However, checks should be made to ensure
113
that the code has not been corrupted by modifications and is being used in an appropriate
manner.
As a complement to the deterministic approach the regulatory body should require an
evaluation of the risks arising from the facility. A common method to provide such an
evaluation is for the operator to perform a quantified risk analysis or probabilistic safety
analysis (PSA). PSA provides a comprehensive, structured approach to identifying failure
scenarios and the corresponding damages to the facility and as a last step deriving numerical
estimates of the risk to workers, the public and the environment. PSA provides a systematic
approach for determining whether the safety systems are adequate, the defence in depth
requirements have been met and the risks are as low as reasonably achievable. It is usual in
such analyses to use less conservative assumptions and to consider best estimate values.
The regulatory body should review and assess the PSA to gain confidence that it has
been carried out to an acceptable standard so that the results can be used as an input to the
regulatory decision making process. In the review and assessment, it should be considered
whether the data used in estimating frequencies and probabilities are sufficiently well
founded; whether the bounding of PIEs into groups for analysis, if used, is sound; whether the
identification of failure scenarios is comprehensive; and whether the analyses of the facility’s
response and consequences are acceptable. The PSA should include a consideration of the
sensitivity of the results to uncertainties in data and modelling and the importance of
individual events in the progression of the failure scenario.
The insights gained from PSA should be considered together with those from other
analyses in making a decision regarding the acceptability of the safety of a facility. An
important aspect of PSA is that, as well as giving an estimate of risks, it also provides
information on whether the design is balanced, on the interaction between design features of
the facility, and on where there are weaknesses. These additional aspects should not be
neglected by a regulatory body reviewing a PSA when making its decisions.
Although a fundamental feature of the review and assessment process is the
consideration by the regulatory body of the documentation supplied by the operator, as
another necessary part of the process, the regulatory body should also check claims made in
the documentation, by means of visits and inspections to the facility. Such verification is
carried out by relevant specialists at all stages of the authorization process. These visits will
also allow the regulatory body to supplement the information and data needed for review and
assessment. Additionally, the regulatory body will be able to improve its practical
understanding of the managerial, engineering and operational aspects involved and foster links
with appropriate specialists in the operator’s organization. Where the operator provides some
central functions away from the facility, visits are also made by the regulatory body to this
part of the operator’s organization. The staff of the regulatory body that carry out review and
assessment has the right to visit or designate others to visit on its behalf, the operator’s site
and, if necessary, to visit contractors’ establishments with the knowledge of the operator. The
visits may be a good opportunity to observe the adequacy and effectiveness of the quality
assurance systems of the operator, manufacturers and suppliers.
It is often very useful for the operator to arrange for those preparing or involved in
complex submissions to provide key regulatory assessors with presentation(s) highlighting the
main technical issues raised and analytical techniques used.
114
The review and assessment process will invariably involve the production of reports
by various experts in the regulatory body and any consultants employed. A document control
system for maintaining records of the process is set up which will allow such documents and
records to be easily retrieved. It is particularly important to be able to locate the bases of
previous decisions, so that consistency can be achieved and any reassessment made necessary
by recent information can be more readily accomplished.
Review and assessment result in a decision on the acceptability of the safety of the
facility that may be connected to a stage in the authorization process. The basis for the
decision is recorded and documented in an appropriate form. This documentation summarizes
the review and assessment performed, and provides a clear conclusion about the safety of the
authorized activity. Typically, the following topics are covered:
x
x
x
x
x
x
x
x
reference to the documentation submitted by the operator;
basis for the evaluation;
evaluation performed;
comparison with regulatory requirements, regulations and guides;
comparison with another similar (reference) facility when appropriate;
independent analysis performed by the regulatory body staff, or by consultants or
dedicated support organization on its behalf;
conclusions with respect to safety;
additional requirements to be fulfilled by the operator.
3.1.4. Quality assurance in the review and assessment process
The regulatory body has a system to audit, review and monitor all aspects of its review and
assessment process to ensure that it is being carried out in a suitable and efficient manner and
that any changes to the process made necessary owing to improvements in knowledge or
techniques or otherwise are implemented.
3.1.5. Topics to be covered by regulatory review and assessment
Table XI provides a generic list of topics that are considered part of the review and assessment
process throughout the life-cycle of the facility from site selection to decommissioning. Each
topic has been itemized; however, addressing all of them does not necessarily mean that every
safety aspect has been fully covered. It should be noted that, depending on the facility and on
the particular phase of the facility’s life, some of the aspects/topics will be more important
than others and the degree of detail necessary may vary.
115
116
Transport of radioactive materials and waste and equipment both on and off the site
needs adequate arrangements. The regulatory body reviews and assesses these
arrangements and assures itself that all national and regulatory requirements are met.
Safety analysis
x are properly characterized and compatible with the anticipated nature and duration of
storage pending disposal;
x can be subjected to regular surveillance;
x can be retrieved for further waste management steps.
Throughout the lifetime of any facility, operators propose and implement arrangements
for waste management. The regulatory body reviews and assesses proposals for on-site
treatment and storage to ensure that the processed waste and waste packages are
compatible with national strategy, relevant waste acceptance requirements for
subsequent waste management steps and regulatory requirements. Specifically, the
regulatory body assures itself that the waste or waste packages:
Infrastructural aspects
x Detailed description of the facility, supported by drawings of the layout, the system
and the equipment;
x Information about the functional capability of the facility, its systems and major
items of equipment;
x The findings of tests which validate the functional capability;
x The results of inspections of components;
x Maintenance records;
x Description of the present physical condition of SSCS based on inspections or tests;
x Description of the support facilities available both on and off the site, including
maintenance and repair shops;
x Geological, hydrogeological and meteorological conditions; and
x Description of off-site characteristics, including population densities, land use,
industrial developments and transportation arrangements (such as airports, and road
and rail systems).
The following information on the facility and the process conducted are provided by the
operator at various stages and used as a basis for review and assessment:
Physical nature of the facility and its environment
TABLE XI. LIST OF IMPORTANT TOPICS FOR REVIEW AND ASSESSMENT
A compilation of the safety analysis and its assumptions;
Structures, systems and components important to safety;
Limits and permitted operational states;
Anticipated operational occurrences;
Postulated initiating events for the safety analyses, such as external hazards, internal
faults and internal hazards;
Description how defence in depth concept is fulfilled;
Analytical methods and computer codes used in the safety analysis and verification
and validation of such codes;
Radioactive releases and radiation exposures under normal operation and fault
conditions;
The operator’s safety criteria for analyses of operator action, common cause events,
cross-link effects, single failure criterion, redundancy, diversity and separation.
The information that the operators provide to the regulatory body for review and
x It will be in control of the facility;
x It has an adequate safety management system to be able to manage and control the
facility; and
x It has resources available to meet its obligations and liabilities in connection with an
authorization.
At all stages of the facility’s lifetime, the operator demonstrates that:
The operating organization and the management system
The impact of the facility is assessed and social and economic issues, land use issues,
technical issues such as detailed considerations of geology and hydrogeology, transport
routes and protection of the environment are taken into account. Both the anticipated
impact and the consequences of fault conditions which are the subject of safety analysis
are considered.
x
x
x
x
x
x
x
x
x
Throughout the lifetime of the facility, the regulatory body reviews and assesses the
information provided by the operator on the facility, in particular the information
covering:
117
x
x
x
x
x
x
x
x
x
x
x
x
x
A mechanism for setting of operating and safety targets;
A policy that states that safety takes precedence over production;
Documented roles and responsibilities of individuals and groups;
Procedures for control of modifications to the facility;
Procedures for the feedback of experience to the staff, including the experience
relating to organizational and management failures;
Mechanisms for maintaining the configuration of the facility and its documentation;
Formal arrangements for employing and controlling contractors;
Staff training facilities and programmes;
A quality assurance programme and regular quality assurance audits with
independent assessors;
A system for ensuring compliance with regulatory requirements;
Comprehensive, readily retrievable and auditable records of baseline information,
operational and maintenance history;
Staffing levels for the operation of the facility that take account of absences, shift
working and overtime restrictions;
Qualified staff available on duty at all times;
The operator demonstrates that it has:
The operator demonstrates an overall safety management system whereby all activities are
controlled to provide an assurance that requirements for quality, safety and the
environment are met. This includes having operational procedures.
x The structure of the operator’s organization, showing that it has adequate control of
the activities of its own staff and its contractors;
x A demonstration of adequate resources for appropriately trained and experienced
staff, ensuring in-house expertise;
x Demonstration of the adequacy of the procedures for control of changes to
organizational structure and resources;
x The specification and documentation of the duties of staff, demonstrating integration
of safety responsibilities into their duties;
x Demonstration of the provision or access to a high level of expertise in safety to
carry out safety and engineering analysis, and associated audit and review functions;
x Demonstration of the adequacy of the provisions for financing continuing liabilities
and decommissioning; and
x Any proposals for the use of contractors.
assessment include:
x A list of equipment covered by the equipment qualification programme and a list of
control procedures;
x A qualification report and other supporting documents (such as equipment
qualification specifications, qualification plan);
The operator provides:
Equipment qualification
Formal approval and documentation for all safety related procedures;
A formal system for modification of a procedure;
Understanding and acceptance of the procedures by management and on-site staff;
Verification that the procedures are followed;
Procedures that are adequate in comparison with international good practice;
Arrangements for regular review and if necessary, revision of the procedures;
Clear procedures taking into account human factor principles;
Procedures which comply with the assumptions and findings of the safety analysis,
design and operating experience; and
x Adequate emergency operating procedures.
x
x
x
x
x
x
x
x
The operator demonstrates it has:
Operational procedures
x Systematic and validated methods for staff selection (e.g. testing for aptitude,
knowledge and skills);
x Programmes for initial, refresher and upgrade training, including the use of
simulators;
x Training in safety culture, particularly for managers;
x Competence requirements for operation, maintenance, and technical and managerial
staff;
x Programmes for feedback of operating experience relating to failures in human
performance;
x Guidelines on fitness for duty in relation to hours of work, health and substance
abuse;
x Competence requirements for operation, maintenance, and technical and managerial
staff; and
x A system for consideration of the human-machine interface and design and for the
analysis of human information requirements and task workload for the control room
and other work stations.
118
Verification that the installed equipment matches the qualification requirements;
Procedures to maintain qualification during the installed life of the equipment;
Information on mechanisms for ensuring compliance with these procedures;
Documentation on maintenance, testing and inspection programme and a feedback
procedure to ensure that ageing degradation of qualified equipment remains
insignificant;
Documentation on an analysis of the effect of equipment failure on other equipment
qualification and appropriate corrective actions to maintain equipment qualification;
Information on protection of qualified equipment from adverse environmental
conditions;
Information on the physical integrity and functionality of qualified equipment; and
Records of all qualification measures taken during the installed life of equipment.
x The system for identifying and classifying safety related incidents;
x The arrangements for root cause analysis of incidents, the lessons learnt and followup measures taken;
x Methods for selecting and recording safety related operational data, including those
for maintenance, testing and inspection;
x Trend analyses of safety related operational data;
The operator provides details of:
Operator’s safety performance
x Documented methods and criteria for identifying SSCs covered by the ageing
management programme;
x A list of SSCs covered by the ageing management programme and records which
provide information to support the management of ageing;
x An evaluation and documentation of potential ageing degradation that may affect the
safety functions of SSCs;
x Details of the extent of understanding of dominant ageing mechanisms of SSCs;
x Details of the programme for timely detection and mitigation of ageing processes
and/or ageing effects;
x Acceptance criteria and required safety margins for SSCs; and
x Awareness of physical condition of SSCs, including actual safety margins.
The operator provides an appropriate programme for the management of ageing of
equipment that covers:
Management of ageing
x
x
x
x
x
x
x
x
x Feedback of experience relevant to safety from similar facilities and other nuclear
and non-nuclear facilities;
x Assessment of and actions on the basis of the above experience;
x Determining the need for research and development;
x The receipt of information on the findings of relevant research programmes;
x Assessment of and actions on the research information.
The operator provides information of its arrangements for:
Experience from other facilities and research findings
x Feedback of safety related operational data into the operating regime including
records and reports of incidents and accidents;
x Analyses of safety performance indicators such as:
frequency of unplanned termination of operation
frequency of selected safety system actuation/demands
frequency of safety system failures
unavailability of safety systems
annual individual and collective radiation doses to workers
trends in causes of failures
backlog of outstanding maintenance
extent of preventive maintenance
extent of corrective maintenance including repair and replacement
frequency of unplanned operator actions in the interest of safety and their
success rate
amounts of radioactive waste generated
quantities of radioactive waste in storage
x Records of radiation doses to persons on site;
x Records of off-site contamination and radiation monitoring data for the site;
x Records of quantities and relevant characteristics of radioactive waste generated and
stored in the facility; and
x Records of the quantities of radioactive effluents discharged.
3.2. COUNTRY SPECIFIC APPROACHES AND EXPERIENCE
3.2.1. Deterministic safety approach — French experience [22]
The objective of the licensing process is to determine whether the applicant
submissions comply with the safety objectives stipulated or approved by the regulatory body.
Prior to checking this compliance, the technical aspects of these safety objectives must be
reminded.
This presentation is focused on pressurised water reactors of the type developed in
France, but the principles are more general in scope.
3.2.1.1. Determination of specific risks
Nuclear reactors have two specific characteristics that differentiate them from other
energy production installations:
x
These reactors accumulate a large quantity of radioactive products (Table XII) from
which staff must be protected and the large scale dispersal of which to the environment
would constitute a major accident;
x
Significant energy release continues for a very long time, even after reactor shutdown,
since it is related to the radioactivity of the fission products contained in the reactor core.
Plant safety therefore depends on adequate protection with respect to radiation sources
together with their confinement. If the sources are localised in the appropriate areas provided,
radiation protection can be achieved by the judicious installation of absorbent shields of a
suitable material and thickness. Difficulties arise mainly from dispersal of radioactive
products outside the standard localised areas. The possible causes of such dispersal shall
therefore be investigated.
Radioactive products are, for the most part, produced within the fissile material itself
and it is desirable that they remain there until the fuel has been reprocessed in a suitable plant.
Correct cooling of the fuel and fuel cladding is therefore essential.
TABLE XII. MAXIMUM ACTIVITY OF THE MAIN FISSION PRODUCTS*
Rare gases
Iodine
Caesium
*
Core, 2 h after
shutdown
107 TBq **
2 107 TBq
107 TBq
Spent fuel
Primary system
Gaseous effluents
106 TBq
106 TBq
2 104 TBq
3 102 TBq
20 TBq
2 102 TBq
900 MW(e) PWR, maximum burnup 33,000 MWd/tU.
1 TBq = 1012 Bq = 27 Ci (Curie).
**
119
It should be pointed out that:
x Under normal operating conditions, a nuclear reactor has no “natural” power level. In order
to be able to operate for at least a year without refuelling and counterbalance various
power-related effects, the core has to contain a quantity of fissile material far exceeding the
critical mass at cold shutdown. The power level produced by this material consequently
results from combining various parameters which must be controlled from outside;
x Under particular operating conditions, the energy released in a nuclear reactor can increase
extremely quickly, in an uncontrolled manner and can then only be limited by neutron
feedback effects related to temperature rises or fuel dispersal;
x Energy released in fuel that was part of a chain reaction cannot afterwards be annulled,
even when the reaction is over. In fact, radioactive products deriving from fission must
themselves release a certain amount of energy in order to reach a stable state. They do this
with a decay period specific to each element which can be very short (less than 1 second),
or average (months or years) or very long (hundreds or thousands of years). Although
decreasing, the power produced will for a long time be greater than one-thousandth of the
rated power and this calls for continuous cooling (Table XIII).
TABLE XIII. RADIOACTIVE DECAY POWER
Time after shutdown
1 second
1 minute
1 hour
1 day
1 week
1 month
1 year
10 years
100 years
1000 years
Percentage of the initial
thermal power
17%
5%
1.5%
0.5%
0.3%
0.15%
0.03%
0.003%
0.001%
0.0002%
Thermal power
produced in MW
500
150
45
15
9
4.5
1
0.1
0.03
0.006
Prevention of specific risks therefore requires:
x Efficient control of the chain reaction and hence the power produced;
x Fuel cooling assured under thermal hydraulic conditions designed to maintain fuel clad
integrity;
x Containment of radioactive products in the fuel, in the primary coolant and specifically in
the containment building.
Maintaining these three safety functions is the key to reactor safety.
120
3.2.1.2. Potential risks, residual risks, acceptable risks
Estimation of the risks associated with operation of a nuclear installation requires that
a distinction be made, as for all industrial facilities, between potential risks, which would exist
in the absence of all protective measures, and residual risks, which remain despite provisions
made to prevent accidents and, if an accident occurs, to minimise the consequences. Nuclear
safety is specifically concerned with this dual objective.
Potential risks are clearly defined by the radioactive substances involved, so that the
only difficulties involved concern estimating residual risks, since it is impossible to claim that
these can be reduced to zero level. These risks are subject to a double estimation, in terms of
the probability of possible accidents and in terms of seriousness, depending on the gravity of
accident consequences.
The idea of probability arises naturally when problems of safety are broached. The
logical and instinctive approach is to ensure that an accident is all more unlikely the higher the
risk of serious environmental consequences. It is essential that a very severe accident with
major consequences be made highly improbable. This natural approach was the guiding
principle in the early work carried out in the field of nuclear safety. The “Farmer curve” (Fig.
12), produced at the beginning of the seventies, shows an authorized area and a forbidden area
on either side of a curve plotted on a probability versus consequences graph, with the
consequences expressed as radioactive iodine release. Only the symbolic aspect is presented
here.
Consequences
Very
serious
Forbidden area
Authorized area
Slight
Very rare
Very frequent
Probability
FIG. 12. Relation between probability and consequences. (Farmer graph).
The designers of nuclear power plants then engaged upon a thorough study and more
precise definition of this curve by matching probability ranges with radiological consequences
that could be considered acceptable. A few years later, the safety organizations specified an
indicative limit for the maximum accident probability likely to give rise to consequences
deemed unacceptable. This by no means implies that situations of even lower probability
should receive no attention. It has to be shown that all types of accidents considered credible
have been taken into account and are covered by the accident studies performed and that the
systems provided to prevent their development or mitigate their consequences, the engineered
121
safety systems built into the installations, effectively enable the safety objectives to be
achieved.
Safety specialists have progressively developed an entire arsenal of principles,
concepts and methods applicable both at the design stage and at the construction and operating
stages. These are, firstly, the barriers, secondly the defence in depth concept, which has been
gradually extended and is presented in what follows, and thirdly the probabilistic studies.
3.2.1.3. Defence in depth concept
Objectives of defence-in-depth
Implementation of defence in depth concept contains several levels of protection,
including successive barriers preventing the release of radioactive material to the
environment. The objectives are as follows:
x To compensate for potential human and component failures;
x To maintain the effectiveness of the barriers by averting damage to the plant and to the
barriers themselves; and
x To protect the public and the environmental from harm in the event that these barriers are
not fully effective.
Barriers
When France adopted the pressurised water reactor system this country had already
built several major nationally designed installations and perfected an appropriate safety
approach, the barrier method.
Protection of the public against the consequences of an accidental release of fission
products rests on the interposition of a series of leak tight barriers. The French practice
considers three barriers (Fig. 13): the fuel cladding, the reactor coolant pressure boundary, the
primary containment but it is known that some countries consider the fuel matrix as a first
barrier which does not really affect this method. Each of these is examined in detail under
three operating conditions:
x Normal operation.
x Normal operating transients.
x Abnormal operating transients.
Safety analysis therefore consists of ensuring the validity of each of these barriers and
their correct operation under normal and accident reactor operating conditions. This kind of
analysis emphasises the progressive nature of safety by distinguishing three successive but
interrelated stages:
x Prevention.
x Monitoring.
x Mitigating action.
122
3rd barrier : reactor containment building
2nd barrier : Reactor coolant pressure boundary
Steam lines
Steam
generator
1st barrier :
Fuel
cladding
Primary
Claddings
pump
Pool
Pressurizeur
Claddings
FIG. 13. Main PWR barriers.
This barrier method is deterministic, since it attests the possibility of a certain number
of accident situations. Applying it during the first 900 MW(e) PWR unit examinations at the
beginning of the 1970s revealed certain difficulties. If the definition of the first barrier is
simple despite its extent, this is not true for the other two barriers. The reactor coolant
pressure boundary is clearly defined within the reactor building. It branches out, however, in a
fairly complex manner in the auxiliary buildings. The spent fuel pit has the same function,
despite its free surface. The reactor building containment is not the only place containing
spent fuel or primary coolant. Delimitation of the third barrier is thus also fairly complex.
Finally and most importantly, this succession of three barriers implies one markedly important
fact: the steam generator tubes with a considerable total surface area and a very thin wall
simultaneously fulfil the function of primary coolant enclosure and containment (second and
third barriers).
These reflections have contributed to the evolution of safety thinking from the barrier
method to the defence in depth concept. This concept in fact includes the barrier method, but
enables an analysis of installations to be carried out which is both more comprehensive and
more detailed.
Levels of defence
The defence in depth concept is not an installation examination technique eliciting a
particular technical solution, but a method of reasoning and a general framework enabling
more complete examination of an entire installation. It was developed in the USA in the
sixties and was notably the design basis for the Westinghouse nuclear power reactors. The
approach linking successively prevention, monitoring and mitigating action is broadened to
cover all safety related components and structures. We shall see that this approach, initially
developed for plant design analysis, is also well adapted to operating organization.
Before describing the different stages involved, the principle can be simply
summarised as follows: Although the precautionary measures taken with respect to errors,
incidents and accidents are, in theory, such as to prevent their occurrence, it is nevertheless
123
assumed that accidents do occur and provisions are made for dealing with them so that their
consequences can be restricted to levels deemed acceptable. This does not obviate the need to
study still more severe situations, the causes of which may as yet be unknown, and to be ready
to confront them under the best possible conditions.
The approach combines the prevention of abnormal situations and their degradation
with the mitigation of their consequences. It is a deterministic method, since a certain number
of incidents and accidents are postulated. The defence in depth concept consists of a set of
actions, items of equipment or procedures, classified in levels, the prime aim of each of which
is to prevent degradation liable to lead to the next level and to mitigate the consequences of
failure of the previous level. The efficiency of mitigation must not lead to cutbacks in
prevention, which takes precedence.
In July 1995, the IAEA International Nuclear Safety Advisory Group adopted a
document on this subject INSAG-10, “Defence in Depth in Nuclear Power Plant Safety”, [9].
This document presents the history of the concept since its inception, how it is currently
applied and indicates advisable modifications for its application to the next generation of
reactors.
The defence in depth concept now comprises five levels. The way in which these levels
are structured may vary from one country to another or be influenced by plant design but the
main principles are common. The presentation below is consistent with the new INSAG
document (See Fig. 14).
First level: Prevention of abnormal operation and failures
The installation must be endowed with excellent intrinsic resistance to its own failures
or specified hazards in order to reduce the risk of failure. This implies that following
preliminary delineation of the installation, as exhaustive a study as possible of its normal and
foreseeable operating conditions be conducted to determine for each major system, structure
or component, the worst mechanical, thermal, pressure stresses or those due to environment,
layout, etc. for which allowance must be made. Normal operating transients and the various
shutdown situations are included in normal operating conditions. The installation components
can then be designed, constructed, installed, checked, tested and operated by following clearly
defined and qualified rules, while allowing adequate margins with regard to specific limits at
all times to underwrite correct behaviour of the installation. These margins should be such that
systems designed to deal with abnormal situations need not be actuated on an everyday basis.
A moderate-paced process with a computer-based control system will diminish
operating staff stress hazards. Man-machine interface provisions and time allowances for
manual intervention can make a significant contribution.
In the same way, the various disturbances or hazards deriving from a source external to
the plant and which the installation must be able to withstand without operating disturbances
or, in other cases, without causing significant radioactive discharge, shall be specified. Site
selection with a view to limiting such constraints can play a decisive role. In this way, it is
possible to determine a reference seismic level, extreme meteorological conditions expressed
as wind speed, weight of snow, maximum over-pressure wave, temperature range, etc. The
new stress factors thus derived shall be used in the same way as before.
124
Sets of rules and codes define in a precise and prescriptive manner the conditions for
design, supply, manufacture, erection, checking, initial and periodic testing, operation and
preventive maintenance of all safety related equipment and structures in the plant in order to
guarantee their quality in the widest sense of this term. The selection of appropriate staff for
each stage, from design to operation, their appropriate training, the overall organization, the
sharing of responsibilities or the operating procedures contribute to the prevention of failures
throughout plant life. This also applies to the systematic use of operating feedback. On this
basis may be defined the authorized operating range for the plant and its general operating
rules.
Second level: Control of abnormal operation and detection of failures3
The installation must be prevented from straying beyond the authorized operating
conditions which have just been defined and sufficiently reliable regulation, control and
protection* systems must be designed with the capacity to inhibit any abnormal development
before equipment is loaded beyond its rated operating conditions, so defined as to allow
substantial margins with respect to failure risks. Temperature, pressure and nuclear and
thermal power control systems shall be installed to prevent excessive incident development
without interfering with power plant operation. With a plant design procuring a stable core
and high thermal inertia, it is easier to hold the installation within the authorized limits.
Systems for measuring the radioactivity levels of certain fluids and of the atmosphere
in various facilities shall assume monitoring requirements and check the effectiveness of the
various barriers and purification systems. Malfunctions clearly signalled in the control room
can be better dealt with by the operators without undue delay. Finally, the protection systems,
the most important of which is the emergency shutdown system but also including, for
example, safety valves, shall be capable of rapidly arresting any undesirable phenomenon,
inadequately controlled by the relevant systems, even if this entails shutting down the reactor.
Furthermore, a periodic equipment surveillance program enables any abnormal
developments in major equipment to be spotted. Such developments would otherwise be
likely to lead to failures over a period of time. Periodic weld inspections, crack and leak
detection, routine system testing pertain to these preventive surveillance activities.
Third level: Control of accidents within the design basis
The first two levels of defence in depth, prevention and keeping the reactor within the
authorized limits, are designed to eliminate with a high degree of reliability, the risk of plant
failure. However, despite the care devoted to these two levels and with the obvious aim of
safety, a complete series of incidents and accidents is postulated by assuming that failures
could be as serious as a total instantaneous main pipe break in a primary coolant loop or a
steam line or could concern reactivity control. This places us in a deterministic context, which
is one of the essential elements of the safety approach.
3
Control systems are sometimes included in first level provisions. The INSAG document places automatic
shutdown at third level. But these variations make no difference to the general principle.
125
We are then required to install systems for limiting the effects of these accidents to
acceptable levels, even if this involves the design and installation of safety systems having no
function under normal plant operating conditions. These are the engineered safeguard
systems4. Start-up of these systems must be automatic and human intervention should only be
required after a time lapse allowing for a carefully considered diagnosis to be reached. In the
postulated situations, the correct operation of these systems ensures that core structure
integrity will be unaffected, which means that it can subsequently be cooled. Release to the
environment will consequently be limited.
The choice of incidents and accidents must be made from the beginning of the design
phase of a project so that those systems required for limiting the consequences of incidents or
accidents integrate perfectly with the overall installation design. This choice must be made
with the greatest care as it is very difficult to insert major systems in a completed construction
at a later date.
Fourth level: Control of severe plant conditions including prevention of accident progression
and mitigation of severe accident consequences
In the context of on-going analysis of risks of plant failure, such as the accident which
occurred at Three Mile Island in 1979, it was decided to consider cases of multiple failure and,
more generally, the means required to contend with plant situations which had bypassed the
first three levels of the defence in depth strategy or which were considered as part of the
residual risk. Such situations can lead to core meltdown and consequently to even higher
release levels. The concern here is consequently to reduce the probability of such situations by
preparing appropriate procedures and equipment to withstand additional scenarios
corresponding to multiple failures. These are the complementary measures aimed to prevent
core meltdown.
Every endeavour would also be necessary to limit radioactive release due to a very
serious occurrence which would nevertheless have involved core meltdown and to gain time
to arrange for protective measures for the populations in the vicinity of the site. It is then
essential that the containment function be maintained under the best possible conditions. The
latter accident management actions are defined in emergency procedures and are outlined in
the internal emergency plan and will be discussed in detail in Appendix III.
Fifth level: Mitigation of radiological consequences of significant off-site releases of
radioactive materials
Population protection measures because of high release levels (evacuation,
confinement indoors, with doors and windows closed, distribution of stable iodine tablets,
4
For PWR's built in France, these systems are:
• the emergency core cooling system
• the steam generator auxiliary feedwater supply system
• the containment withstanding an over pressure of about 4 bar rel associated with the systems ensuring internal
spraying, the automatic isolation of penetrations, containment atmosphere monitoring and, in the case of
double-wall containment, depressurization of the annulus.
126
restrictions on certain foodstuffs, etc.) would only be necessary in the event of failure or
inefficiency of the measures described above. So we are still in a defence in depth
connotation. The conditions of this evacuation or confinement are within the scope of the
public authorities. They are supplemented by the preparation of long or short term measures
for checking the consumption or marketing of foodstuffs which could be contaminated. Such
measures are included in the external emergency plans. The decision to implement such
measures will be based on analysis of the situation by the operator and the safety organisms
and then on environmental radioactivity measurements.
Periodical training drills will also be necessary in this area to ensure adequate
efficiency of the resources and linkups provided.
Elements common to the different levels
Defence in depth can only be satisfactorily implemented if care is taken at each level to
ensure:
x appropriate conservatism;
x quality assurance; and
x safety culture.
The notions of conservatism and safety margins, very closely linked with the
deterministic approach, apply more to the first three levels of defence. Severe accidents, on
the other hand, generally require a less conservative approach, and realistic assessment is
preferable when population has to be protected against substantial radioactive release. Each
level of defence can be effective only if the quality of design, materials, structures,
components and systems, operation and maintenance can be relied upon. Finally, all parties
actively involved in plant safety, whether they are operators, constructors, contractors or
members of safety organizations, must be thoroughly versed in safety culture.
General comments
The notion of successive levels of defence implies that these levels are as independent
as possible. It will consequently be very important to ensure that the same event or failure,
whether single or multiple, could not affect several levels simultaneously, thereby calling the
entire approach into question. This would be the case, for example, if a specific failure
inhibited the systems provided to limit the consequences of the event considered. Safety
system reliability must be adequate. Special design, layout and maintenance rules are applied
to them.
The fourth level was set up to fill in the gaps revealed in the situations envisaged prior
to 1975. This level thus covers measures for the prevention of substantial core meltdown that
ought to have been included in the third level, and provisions for the management of more
severe accidents that fit better into this stage in the phasing of preventive actions.
127
Mitigation of radiological consequences
of significant off-site releases of radioactive materials
Control of severe plant conditions including prevention of accident progression
and mitigation of severe accident consequences
Control of accident within the design basis
Control of abnormal operation and detection of failures
Prevention of abnormal operation
and failures
Conservative design and
high quality in construction and operation
Control, limiting and protective systems
and other surveillance features
Engineered safety features and accident procedures
Complementary measures and accident management
Off-site emergency response
FIG. 14. The defence in depth concept: purposes, methods and means (INSAG-10).
Until recently, levels 4 and 5 were combined in one level. In accordance with the logic
of the defence in depth concept, the need for protective actions with respect to populations in
the vicinity of the site effectively corresponds to the failure, or relative failure, of the measures
taken at the previous level. There must consequently be a differentiation between the two
levels involved.
The efficiency of these principles and methods would be limited if the quality
assurance of all activities involved in the design, supply, manufacture, erection, tests and
inspections, operating preparations and the actual operation itself were not fully ensured. This
depends on the motivation of all concerned and implies appropriate organizational procedures.
Obviously, the quality assurance process is more difficult to apply in the very disturbed
situations covered by the severe accident management but mentioning this idea even in this
case is recalling the need of well structured decision making process and methods to be
prepared for such situations.
3.2.1.4. Defence in depth implementation in operation [22B]
As mentioned, the defence in depth concept is fully applicable for operational activities
and the operating documents as the general operating rules should reflect it in its different
Chapters:
128
Level 1: Prevention
x Plant organization, staff selection and training;
x Normal operation procedures;
x Implementation of the technical specifications.
Level 2: Surveillance
x Periodic testing programme;
x Preventive maintenance programme;
x Incident detection and analysis.
Level 3: Mitigation
x Incident and accident procedures.
Level 4: Accident management
x Beyond design basis accident procedure;
x Internal emergency plan (links with external emergency plan).
Level 5: Emergency response
x External emergency plan.
3.2.1.5. Postulated initiating events [22B]
The defence in depth concept implies that postulated incidents and accidents are
examined by varying the safety functions over a range of possibilities:
x Criticality control (controlling the power);
x Residual power removal (cooling the fuel);
x Radioactive products containment (confining the radioactive material).
The design basis incidents and accidents are chosen to be the most penalising cases
enveloping a family of events of equivalent classes of estimated frequency.
Historical survey
The scope of foreseen situations has evolved over the time thanks to the continual
search for safety improvement, better safety studies and operating experience.
At the beginning of the 1970s, plant design was based on a three-level defence in depth
concept: good design, good surveillance provisions and engineered safeguard systems to limit
the consequences of postulated accidents. These incidents and accidents were assumed to be
due to single failures associated with conventional failure conditions (single failure,
earthquake, loss of external power). Apart from the fuel handling accident, all the scenarios
were assumed to occur during power operation. Duplicating safety related systems was
considered sufficient.
In the mid-1970s, probability studies of total failure of these systems and the associated
consequences showed that duplication was not an entirely satisfactory solution, with the result
that provision was made for complementary measures to contend with these multiple failures.
129
This applies mainly to the scram system, the electrical power, the steam generators feed water
and the ultimate heat sink.
In 1979, the Three Mile Island accident demonstrated that cumulated human and
equipment failures could lead to far more serious consequences than those considered at the
design stage, without calling the overall approach into question. Considering single initiators
or identified multiple failures on a single function was no longer sufficient. Operating
procedures were then reviewed and vastly modified. This was followed by the development
and integration of systems capable of limiting the probability and consequences of severe
accidents.
In 1986, the Chernobyl disaster, although it occurred in a reactor of totally different
design to those used in Western Countries, nevertheless highlighted the organizational
difficulties raised by a severe accident situation (long term release period, consideration of
caesium and strontium, difficulties and drawback of population relocation, insufficiency of the
rate of induced cancer to characterise the effects on the population). Moreover, this accident
led to a review of reactivity accident provisions, with the gradual discovery of several
significant scenarios that had not been previously identified and the subsequent
implementation of requisite preventive measures.
Meanwhile, the publication of probabilistic safety studies demonstrated risks related to
outage situations, seeming thus to confirm trends suggested by operating feedback and the
weight (positive and negative) of the human factors.
Worldwide operating experience shows time after time additional unexpected potential
scenarios and the inadequacy of some initial assumptions (an observed SG tube rupture
frequency 10 to 100 higher than expected). Over the same period, consideration of internal
and external hazards was progressively extended. Consideration of traditional lists of
incidents and accidents is needed but insufficient.
“Excluded” scenarios
Some scenarios cannot be treated along the line of defence in depth as no efficient
engineered safety systems are able to control the situation, to prevent core degradation, to
mitigate the radiological consequences. It is the case when the initiating event induces the
simultaneous destruction of the containment capability
Typical examples are:
x
x
x
x
Sudden rupture of the reactor vessel;
Steam line break between the containment and the main isolation valve;
Steam generator outer shell rupture;
Severe criticality accidents.
They must be identified and recognised in order to be excluded thanks to convincing
prevention and surveillance measures.
130
3.2.1.6. Accident analysis [22B]
A formal incident and accident analysis process is needed as a part of the safety
demonstration. It includes several items that could be summarised as follows.
Choice of pessimistic initial conditions
For each scenario the initial conditions should be the worst authorized ones for the
studied phenomena, with uncertainty margins such as:
x Maximum fission products or primary coolant contamination;
x Minimum temperature coefficient (beginning of life) for heating effects like control rod
withdrawal;
x But maximum temperature coefficient (end of life) for cooling events like steam line
rupture.
Implementation of the single failure criterion
This Convention is designed to provide adequate reliability to the engineered safety
features. Special care is needed with 2 × 100% solution for maintenance and any
unavailability.
The single failure criterion can be threatened by any common cause failure such as fire,
flooding or human intervention. Segregated lay-out is needed associated with protective
measures and intervention procedures.
Conventional loads and conditions combinations
The loss of external power sources is added to each abnormal occurrence, incident and
accident with addition of the safe shutdown earthquake SSE at least for the largest breaks.
Appropriate and established design margins
Design and construction codes should fix the level of adequate margin associated with
testing methods.
Prevention of accident degeneration
An incident should not induce another incident of the same category or degenerate in
an incident of the following one. The physical effects and mechanical loads due to an accident
should be considered to avoid additional consequential failures.
Human intervention grace period
Automatic devices should be sufficient to manage the design basis accidents during at
least 20 minutes to decrease the adverse stress effects on the operators.
131
Calculation of radiological consequences
For the design basis accidents these calculations are based on noble gas, and iodine
with very pessimistic transfer coefficients (mainly for iodine although there are very large
differences from one country to another). The assessment assumes that people are living close
to the plant fence and submitted to a unique plume passage (2 hours). Acceptance criteria are
based on health effects on man (increase of fatal cancer rate).
The Chernobyl accident showed the limits of this approach for severe accidents and for
the preparation for external countermeasures. The source terms should be evaluated through
more realistic methods but still be conservative and cover more radioactive materials like
caesium or strontium and with potentially longer releases.
Acceptance criteria are based on ICRP publication N° 63 and consider life disturbance
such as people displacement or soil and foodstuffs contamination.
3.2.1.7. Internal and external hazards [22B]
Internal and external hazards that are not initiating events should not induce such
failures. In addition, they should not decrease the potential of engineered safety system to act
properly when they are needed which requires specific care for the prevention of common
mode failures.
A typical list of internal events is:
x
x
x
x
x
x
Missiles from inside the containment.
Results of piping breaks.
Turbo-generator bursting.
Protection against load dropping.
Fire protection.
Internal flooding.
A typical list of external hazards to be considered as appropriate:
x
x
x
x
x
x
x
x
x
Earthquakes.
Soil movements.
Volcanoes.
Aircraft crashes.
Explosions.
Fires.
Toxic or corrosive gases.
Floods.
Meteorological hazards (wind, snow, hurricane, tornado, extreme temperature).
Probabilistic evaluation can be used for some internal and external events like turbine
missile, aircraft crashes and explosions that need the definition of an indicative threshold. An
annual probability value of 10-7/plant for “unacceptable consequences” is used in some
countries. If needed and to avoid difficult demonstrations, the protection of the equipment is
provided by the capability of the related buildings to withstand the impact in defined
132
conditions. Most of internal and external hazards are coped with by preventive measures but
fires are treated by prevention, surveillance and mitigation.
3.2.2. Assessment of modifications — German and Finnish experience
The operating organization is responsible for plant modifications as it is for the initial
design. As a minimum, any modification that modifies the initial design approved during the
licensing process requires an authorization.
3.2.2.1. German classification of modifications [17]
The scope of permitted activities is stipulated in detail by additional conditions in the
nuclear licences. Under which conditions and in which way modifications of the plant and its
operating mode are to be made is particularly laid down in the Atomic Energy Act (AtG) and
in the licences. This concerns not only modifications of the system design but also
modifications of the operating mode and organization of the plant.
It is stated in Paragraph 7 of the Atomic Energy Act that not only the construction and
operation of nuclear facilities are subject to licensing, but also major modifications to it. The
proceedings in this respect are the same as those applied for licensing of construction or
operation. Details are stipulated in the Nuclear Licensing Procedures Ordinance (AtVfV).
Major modifications, which are subject to licensing therefore, are in general
modifications:
x Leading to a considerable change of activity release during normal operation or during
incidents;
x Leading to an increase of the allowed activity inventory of the plant;
x Leading to a change of the maximum permissible reactor output;
x Concerning the basic design features of the plant or its operation;
x Extending the licensed use of nuclear fuels or the handling of radioactive substances;
x Connected with significant structural changes.
Modifications subject to licensing are to be published and debated in public before the
granting of a license if the impact of the plant on the environment may be changed or
increased following such modifications. By this, the citizens concerns are informed about the
planned modification and are enabled to raise objections or to bring an action against the
license. The general public is not involved in case of insignificant modifications, i.e.
modifications not subject to licensing.
In the operating licences of nuclear facilities, it is in general stipulated by additional
conditions that also modifications not subject to licensing have to be reported to regulatory
authority and may only be carried out within the scope of a prescribed modification procedure.
In most cases the modifications are categorised according to their safety-related relevance:
133
x Modifications having an impact on the safety level of the plant — often denoted as safetyrelevant modifications — in general are subject to approval by the regulatory authority and
can be made contingent upon the fulfilment of specified requirements.
x Modifications having no impact on the safety level of the plant — safety-irrelevant
modifications — can be carried out autonomously by the operator according to plant
internal specifications without special approval of the supervisory authority. These
modifications have only to be reported to the regulatory authority and the experts
consulted to verify the correctness of the categorisation.
x Insignificant modifications as well as editorial changes of written internal regulations may
be performed according to internal specifications without advance information of the
regulatory authority and the authorized expert.
The definition of the different categories of non-significant modifications is somewhat
unclear and is stated differently by each responsible regulatory authority so that only a rough
characterisation can be made:
x Safety-relevant modifications are those of safety systems or other systems relevant for the
nuclear safety and radiation protection, or they are safety-relevant if by the modification
there are potential negative impacts on such systems.
x Not relevant for the safety are modifications to non-nuclear systems as far as there are no
potential impacts on nuclear systems.
x Insignificant modifications are minor modifications in areas without nuclear safetyrelated relevance.
x Editorial changes are changes to written internal instructions that do not affect the factual
contents of the instruction.
Implementation of modifications
Safety objectives of a modification should be proposed by the operating organization
or can be notified by the regulators. Technical solutions are always the responsibility of the
operator.
Any modification should:
x Take into account any available information related to any relevant incidents, gathering as
many of them as possible;
x Take into account the initial design basis in order to avoid loss of initial characteristics;
x Be easy to test in a representative manner;
x Be tested as long as needed;
x Be integrated in plant documentation and in operating staff training.
134
A significant change in operating conditions like an increase of the fuel burn-up rate
should be studied like a significant modification and justified by the applicant to the safety
authority.
Subsequent difficulties should lead to a complete reassessment of the modification
justification and testing.
3.2.2.2. Assessment of system modifications in Finland [23]
A system pre-inspection is carried out in the form of an assessment of the preliminary
and final safety analysis reports and the related topical reports during the construction phase.
During the operation of a nuclear installation, a system pre-inspection of plant modification
can be conducted on the basis of separate system pre-inspection documentation before the
final safety analysis report is changed. Pre-inspection documents shall be submitted to the
regulatory body (STUK) for approval at least concerning the modification of systems in safety
classes 1, 2 and 3 as well as the modification of systems STUK has earlier requested
inspection for other reasons. Modification of systems inspected by STUK earlier are submitted
to STUK at least for information. Also an individual component modification which
significantly changes a system’s operation or its operating parameters is considered a system
modification.
The pre-inspection documents of the system modification contain the following:
x
x
x
x
x
Causes and justification for the modification;
System design bases;
Description of the operation of the system’s modified part;
Analysis of the system;
Any other reports deemed necessary.
The reasons for modifications are always stated and justified. In the basic system
design it is stated which guides and standards have been used in design. The design bases
include also the following items:
x Safety class;
x Design parameters (pressure, temperature, flow, chemical environment, requirements
concerning leak tightness etc.);
x Ambient conditions;
x Requirements for structural materials.
In the description of the operation of a system’s modified part, the system’s operation
during normal operational stages as well as during anticipated operational transients and
postulated accidents are described. The modification’s impact on operation is described. The
necessary diagrams and drawings as well as the design parameters of the most important
components are included in the description of operation. The description shall be extensive
enough to contain all information required for a system analysis.
The objective of the system analysis is to ascertain that the system operates in
conformity with the design and that the modified system meets the requirements set forth in
the guides and standards applied in system design. In connection with extensive
135
modifications, disturbance and accident analyses for the installation as well as system
reliability analyses are repeated to the extent deemed necessary if the conducting of such
analyses for the system in question was required previously.
Changes eventually proposed to the technical specifications and test run programme of
the modified system are submitted for approval together with pre-inspection documentation,
or, well in advance of the test run. The proposal containing the changes required in a system’s
operating procedures are submitted to STUK prior to the commissioning of the system.
Changes of the final safety analysis report are submitted to STUK after the implementation of
the modification.
As regards work arrangements during a system modification, reports on radiation
protection, fire protection and physical protection are provided where necessary.
3.2.3. Assessment of operational experience — French experience [22]
The main objectives of the assessment of operational experience can be summarised as
follows:
x To avoid re-occurrence of observed failures from equipment or human origin.
x To detect precursors of more severe accidents.
x To assess whether the plant behaviour and equipment reliability are consistent with the
design assumptions. This provides additionally actual equipment reliability data needed
for PSA.
x To assess that the modifications give the desired results without any detrimental secondary
effects.
x To detect as soon as possible ageing phenomena.
x To check the overall quality of operation practices.
For each unit all the information provided must be used locally. Information from other
units of the same type or even very different, from the same country or from abroad is also
beneficial.
The assessment of operational experience must be carefully structured within the
operating organization and within the regulatory body. The presentation of the French practice
illustrates a way to handle this important topic.
Detection and declaration of abnormal events are the responsibility of the operating
organization. Inspections may check that no declaration is missing.
The French context is specific: one organization operating a large number of identical
or similar reactors, of which it is the architect-engineer. At the beginning of 1998, thirty-four
900 MW(e) PWR’s and twenty 1300 MW(e) PWR’s were in service. Two 1400 MW(e) units
went critical and started operating, two others are at the end of the construction phase. Starting
from initial criticality in each plant, this gives an accumulated 900 MW(e) unit experience of
about 550 reactor-years and 1300 MW(e) unit experience of about 200 reactor-years, thus
totalling around 750 reactor-years of experience concerning reactors which are still relatively
136
“young”. The result is that there is a considerable mass of consistent data, which is a huge
advantage for plant operation.
On the other hand, it is obvious that with such a system very fast identification of
problems liable to occur in a whole family of plants is vital, since otherwise a very specific
type of “common mode” failure could lead to national grid power supply deficiencies, which
would be difficult to cope with in a country where three-quarters of the electricity comes from
nuclear power plants. Likewise, any changes or modifications involving a significant
percentage of the installed capacity can only be undertaken in compliance with stringent
requirements and with all due precautions.
3.2.3.1. Incident selection
In order to facilitate the task of both operators and the safety authorities, it was decided
to define two groups of safety-related events, of different levels of severity and to which
different methods of analysis were applied, whereas all other non-safety-related incidents gave
rise to no particular transfer of information.
Safety-related events
Presuming that the technical operating specifications comprise all instructions
pertaining to the availability of plant safety-related equipment and to the limiting values
assigned to the various operating parameters, any failure of such equipment resulting in it
being reported unavailable or any overstepping of a threshold is considered to be a safetyrelated event. This definition is fairly straightforward for the operators, since they have to
monitor both this equipment and these parameters, in any case. The necessity for reporting
these events is well understood by the operating personnel, who are accustomed to using these
Specifications, but less well by the maintenance staff. EDF is taking steps to gradually
improve this situation.
As these safety-related events are not in themselves serious incidents, they need not be
the subject of specific reports from the operator, but must, on the other hand, be immediately
entered into a national data base, managed by EDF and accessible to the DSIN and the IPSN.
The number of safety-related events entered into the EDF file increased rapidly between 1990
(2600) and last year (9500 in 1997), faster than the number of operating units, thanks to the
development of the safety culture. The average number of reports per unit is about 175 for the
900 MW(e) plants and 200 for the 1300 MW(e) plants. Certain plants have increased the
number of events reported in compliance with recommendations following an EDF in-house
nuclear inspection.
Significant incidents
Generally speaking, safety-related events do not in themselves call for detailed analysis
nor are they severe accident precursors. The latter are more likely to be found in another
category of operating non-conformance, classified as significant incidents. These are generally
safety-related events which also satisfy certain specific criteria defined by the DSIN after
discussion with the operators. These criteria were precisely defined with a view to obtain their
automatic application without excessively different interpretation from one plat to another.
they were formalised in 1982 but, there again, owing to the difficulties encountered and
137
discussed with the safety organizations, EDF periodically revises the corresponding internal
procedures to improve uniformity of application between the different plants.
The significant incidents reporting criteria may be summarised as follows:
x Emergency shutdown, except in the context of a deliberate scheduled action or defects
affecting the turbogenerator;
x Implementation of an engineered safeguard system, except in the context of a deliberate
scheduled action;
x Any incident where, in any standard operating state, a change of state would be incurred
by application of the technical specifications;
x Long-term unavailability or multiple inoperability;
x Overshooting certain thresholds or authorized values;
x Actual or potential common mode failure (fire, onsite flooding, system interaction, design
or construction error liable to concern several sets of equipment or several plant units,
etc.);
x External hazard: earthquake or plane crash, for example;
x Real or assumed malevolent act;
x Uncontrolled radioactive release or that exceeding the authorized levels;
x Exposure of people beyond the specific worker exposure limits;
x Incident of nuclear origin having caused loss of life or serious injuries;
x Malfunction or incident placing or able to place the plant outside its design basis operating
range;
x Any other event deemed sufficiently important by the operating or safety authority.
A significant incident must be reported to the safety organizations by telex on the day it
occurs or on the next working day and be reported within two months in a detailed analysis
conforming to a given standard procedure. The first analysis is made by the plant concerned
and is supplemented, if required, by a second analysis performed by other specialized EDF
departments. Direct exchanges between safety authority analysts and the operators can be set
up as soon as the telexed report is received. This is particularly the case when it is feared that
at least several plants could be concerned by the faults identified or when a severe accident
precursor is suspected.
The mean number of significant incidents is more or less constant over several years —
about seven to eight per year, per unit — there are significant variations from one site to
another. Almost half of these incidents now occur during unit outages. This confirms the
138
specific difficulties of these periods and probably also witnesses the penetration of safety
culture: perhaps certain incidents with no consequences for plant unit operation would
previously not have been reported.
In any cases, detection and declaration of safety significant events and significant
incidents are the responsibility of the operating organization. Inspections may check that no
declarations are missing.
3.2.3.2. Significant incident analysis methods
The methods described below were gradually elaborated by collective team work.
From the outset, the IPSN has been an instigator, devising approaches to be adopted and
developed by the operating utility.
Collective examination of events and incidents
At the IPSN, supervision of a set of plant units (ideally two units) is particularly
entrusted to a specific assignment engineer. In order to derive maximum benefit from PWR
standardization, each specific assignment engineer is informed of all significant PWR
incidents by circulation of the relevant telexes and reports. All the incidents are reviewed
during weekly meetings, when the most important occurrences are short-listed. During these
meetings, the specific assignment engineers indicate the most significant recent “safety-related
events” and exchange available information on incidents abroad. In this way, each analyst is
informed of occurrences affecting the French PWR population and of significant incidents
reported abroad. In the EDF head office departments, the working method is much the same.
Selection of significant incidents for in-depth analysis
The significant incidents for in-depth analysis are selected during these meetings. The
selection criteria are not formalised but may be outlined as follows:
x Incidents which have an affinity with the corresponding design basis incidents, with an
estimated frequency of below 10-2 per year and per unit, or which are capable of leading
to such incidents, possibly under different operating conditions;
x Incidents not foreseen at the design stage;
x Accumulated safety-related system failures and accumulated errors, whether due to
random faults, common mode failures or system interaction;
x Incidents giving rise to errors resulting from failure to understand plant behaviour or
safety requirements.
x Significant effect on core-melt frequency indicated by PSA.
There is consequently a systematic, although often implicit, reference to the design
rules and criteria, enabling appraisal both of the gravity of the incident and the validity of the
design rules. The 400 to 450 significant incidents on French PWR’s reported every year give
rise to ten to twenty in-depth analyses, each of which may cover several incidents.
139
Example of classification
An example of classification relating to different types of events occurring on the same
function will illustrate the differences between the levels.
When one emergency core cooling train (out of two) is unavailable the technical
specifications require to have reached cold shutdown before a time limit of 3 days if repair
work and requalification cannot be done properly in shorter time.
x The unavailability of one train discovered by a periodic test, having a non generic cause,
and for which repair and requalification can be done in less than 3 days is a safety related
event.
x The unavailability of one train discovered by a periodic test, but possibly generic, and/or
asking for repair and requalification more than 3 days is a safety significant incident.
x Both low-head ECCS pumps tripping on an ECCS signal (as occurred at Blayais 1 in
1991) represents a precursor event.
In depth analysis
The starting point for analysis will be a thorough acquaintance with how the incident
took place, which safety functions were implicated, how operators and equipment behaved,
what the consequences were, together with knowledge of any similar incidents which may
have occurred. Despite the quality of the operator incident reports, the information supplied
usually has to be supplemented by direct contacts with the plant or the relevant EDF head
office departments and, in many cases, by inspection of the buildings and equipment
concerned.
The first action consists in determining whether, in other circumstances, the same
accident would have had far more severe consequences. This is known as exploring the
degeneration paths and can be summed up by the question “what if ? ...”. The second action
consists in seeking the root causes of the incident by tracing back as far as possible along the
branches of the incident cause tree, not only as regards equipment, but also procedures and
human behaviour, differentiating between what is specific to the plant considered and what
could occur at any units of the same type. The third action consists in applying to other
equipment, systems or situations the root causes identified to make sure that they could not
initiate entirely different sequences of consequences, which could be potentially serious.
The analysis then proceeds with the identification of incidents of the same type or of
possible precursor events. It is, of course, obvious that the in-depth analysis of a significant
incident must not be isolated from the overall context of other incidents in France or
elsewhere and that parallels should be freely drawn. So this concerns both events having the
same material, human or organizational origins and incidents arising from similar scenarios.
This grouping of incidents is an essential element in the valid appraisal of data provided by a
significant incident.
The first corrective steps proposed by the operating utility are often simple
compensatory measures, such as instructions aimed at precluding scenarios with more severe
140
consequences further to an initiator of the same type as that observed. Such “administrative”
steps can generally be taken without loss of time and at low cost. Analysts and operators
readily agree on this type of measure. However, it is not so easy to arrive at agreement in cases
where modifications to the plant are deemed necessary, especially if these have to be extended
to other equipment or several plant units.
IPSN in-depth analysis reports on significant incidents systematically conclude with
recommendations that may be reformulated by the DSIN as requests to the operating utility or
special requirements. Before transmission to the DSIN, draft recommendations are, of course,
discussed with the operating authorities both as regards the measures required and the time
allowed for their implementation. These technical contacts provide good opportunities for
deep thinking. They in no way infringe IPSN autonomy, since points of agreement and
disagreement are clearly explained with arguments for or against. It should also be borne in
mind that the IPSN is required to express its decision as to the acceptability of proposals made
by the operating utility. It is not within the scope of its function to prescribe technical
solutions. These have to be determined by those responsible for the installation.
Guidelines for significant incident analysis
This analysis method was gradually structured by the EDF head office departments to
assist the different plants in conducting as exhaustive an analysis as required.
The main steps are as follows:
x Cause analysis:
Data collection.
Logical sequence of events.
Identification of failures and inappropriate actions.
Identification and explanation of discrepancies with respect to the quality assurance
system.
x Assessment of effective consequences:
For reactivity control.
For core cooling control.
For containment control.
x Identification of operating scenarios disturbed by failures and mistakes:
Characteristics of the disturbed scenarios.
Identification of the disturbed scenarios.
x Assessment of potential consequences:
Elaboration of an event tree for each disturbed scenario identified considering the
initial state, subsequent undermined states, the defence in-depth lines of defence
provided and the quality assurance system.
Identification of fault conditions elsewhere in the plant, in other units in the plant
considered or on other French sites.
x Corrective actions:
Required to restart the installation or maintain power operation.
Required to preclude fault conditions and inappropriate actions.
141
This method is more and more consistently applied by the plants, resulting in the
gradual improvement of significant incident reporting. It is obviously also applied for all indepth analyses deemed necessary by the EDF head office departments.
3.2.3.3. Safety case study: the Three Mile Island accident [22]
The Three Mile Island nuclear power plant is located on the Susquehanna River in
Pennsylvania, USA, 16 km from the state capital, Harrisburg, a city of 90 000. It has two
900 MW(e) units with pressurised water reactors designed by Babcock and Wilcox. The
second unit of the site started commercial operation on December 30, 1978.
The Babcock and Wilcox 900 PWR design uses 2 steam generators of the oncethrough type. These steam generators are long, about 28 meters, which induces a specific
layout : the bottom of the steam generators is lower then the core inlets (Fig. 15). Then the
transition to natural convection cooling on the primary side can be difficult in some
conditions. Furthermore, they only contain a small amount of secondary cooling water,
making the installation rather sensitive during certain kinds of transient.
In the case of a loss of normal SG feedwater there is an increase in temperature, hence
in pressure, in the primary cooling system, systematically leading to opening of the pressurizer
relief valve, during a few seconds.
Containment Spraying
Relief Valve
Block Valve
Safety Valves
Steam Generator
Pressurizer
Level Indicator
Core
Vessel
Primary Pump
Pressurizer Relief Tank
FIG. 15. Main layout of Three Mile Island NSSS.
142
Simplified scenario
The accident starts at 4:00 a.m. on Wednesday March 28, 1979 with the loss of normal
water supply to the steam generators. The primary transient causes emergency shutdown,
which gradually lowers pressure in the primary cooling system. After 12 seconds the relief
valve receives as normal the command to close but this valve remains jammed open. The
primary cooling system continues to discharge into the pressurizer relief tank, located in the
containment, at a flow-rate of 60 metric tons per hour (there are approximately 200 metric
tons of primary coolant).
The steam generator auxiliary feedwater system pumps start up normally after 30 seconds, but
the connecting valves between the pumps and the steam generators are closed instead of open,
due to a maintenance error. The generators dry out in 2 to 3 minutes, stopping all cooling of
the primary system. Although the position indicator for these valves located in the control
room signal this fault, eight minutes pass before the operators identify the fault and give the
command manually to open the valves. Twenty-five minutes pass before the situation of the
secondary cooling system stabilises, after numerous operations, no doubt commanding all the
attention of the operating team.
During this time, discharge through the pressurizer relief valve continues. After two
minutes, pressure in the primary cooling system has decreased to approximately 110 bar. The
emergency core cooling system starts up automatically and sends cold water into the primary
system. The operators check the indicator of the relief valve and see “valve closed”, which in
fact is not true. The indicator transmits the command received by the valve, and not its actual
position, to the control room.
Finally, the operator concentrates on the water level in the pressurizer. The water level
in the pressurizer, after lowering at first when the valve was opened, then started to rise
rapidly, between the first and approximately the sixth minute. This rise is perfectly normal
when there is an opening in the upper part of the pressurizer, but the operators in this plant
ignored this fact and had not been trained for this type of situation. In any case, faced with this
rapid rise in the pressurizer water level, the operators, believing the relief valve to be closed,
are afraid to inject too much water into the system, and therefore stop emergency core cooling
manually after less than five minutes. The operators’ mental image of the situation was false,
but the actions they decided to perform were obviously based on this image. As of this
moment, the water draining from the primary system is not replaced. There is a break in the
primary coolant system and the emergency core cooling system is shut down completely.
The primary system continues to drain. After 6 minutes, boiling starts. The primary
coolant circulating pumps continue to work, circulating a mixture of water and steam
comprising more and more steam; however, they manage a certain amount of cooling thanks
to the steam generators supplied by the secondary system. The rest of the energy is removed
through the primary system break. After fifteen minutes, the pressurizer relief tank rupture
disk gives way. The escaping primary coolant now goes directly into the containment. The
pressurizer is filled with a mixture of water and steam. Its level indication is meaningless. The
proportion of steam in the primary coolant increases. The primary pumps have more and more
trouble, and start to cavitate and vibrate. These vibrations become excessive. The operators
stop one pump after 1 hour 13 minutes, and the other 27 minutes later, hoping that natural
circulation will set up in the primary system. In fact, water and steam separate, with steam
accumulating in the top and water in the bottom. There is no longer any circulation of primary
143
fluid and therefore no heat exchange takes place between the reactor core giving off residual
heat of a few tens of MW and the steam generators. The heat from the core continues to bring
the cooling water to the boil. No more water is being supplied, and the level in the core drops:
the core is uncovered. Cooling of the fuel becomes less effective; cladding temperature
rapidly increases to 850°C, then past 1300°C. At these temperatures, zirconium reacts
chemically with steam to form zirconium oxide and hydrogen. This reaction produces heat,
increasing temperatures yet more. Fuel cladding melting point is reached, and there is
significant release of fuel fission products to the primary coolant and from there to the
containment.
After 2 hours 14 minutes, a radioactivity alarm goes off in the containment. The
operators are forced to realise the gravity of the situation. Realising that they may well have
transferred radioactivity through the relief valve, which had a high leak rate before the
accident, they close the line-isolating valve and thereby stop discharge. This also stops all heat
removal. The core continues to heat, and primary system pressure increases. The operators
start up one of the primary pumps, which sends water cooled in the steam generator onto the
extremely hot fuel, which disperses those parts of the fuel above the water level within the
reactor vessel.
After 3 hours 12 minutes, vaporisation of water on the fuel has caused primary system
pressure to rise to a dangerous point. The operators re-open the relief line-isolating valve,
drainage starts up again, letting out coolant which is even more radioactive. More
radioactivity alarms go off, some of which are outside the reactor building. The water that is
spilling into the containment is taken up by automatic sump pumps, which send the
contaminated water to storage tanks located in an auxiliary building that is not hermetic.
These tanks then overflow and create a source of radioactive steam that can escape outside the
plant.
A state of emergency is finally declared. The containment is isolated, stopping transfer
from the sump to the auxiliary building. It is now three hours and twenty minutes since the
accident began. The operators start the emergency core cooling system again at a low flowrate, causing a new shock between the cold water and the hot fuel, then at nominal flow-rate.
The core cools, four hours after the first event. It will take another twelve hours to discharge
from the primary cooling system most of the hydrogen and fission gases that prevent it from
being filled. This is done by alternately opening and closing the pressurizer relief line and
starting up safety injection and primary pumps. A localised explosion of about 320 kg of
hydrogen in the containment, after 9 hours 50 minutes, induces a 2 bar pressure spike in the
reactor building, without causing any particular damage.
At 8:00 p.m. on Wednesday, March 28, 1979, the accident itself is over. However, it
will take several days more to calm fears of a possible hydrogen explosion in the reactor
vessel. The damage to the fuel elements far exceeds that provided for in the worst possible
design basis accident. Six years later, in 1985, when it was possible to pass a television
camera between the lower internal core structures and the vessel, it was found that 45% of the
fuel had melted, along with elements of the cladding and the structures totalling 62 metric
tons and forming what is called corium. About 20 metric tons of this corium, formed from the
upper part of the fuel, had forced its way through an outer ring fuel assembly and the reactor
core external baffles to reach the vessel bottom head itself, but fortunately did not melt
through it (see Fig. 16).
144
Upper grid
Damage
Cavity
Core debris
Baffle plate
Crust
Molten materials
Molten materials
Incore instrumentation guides
FIG. 16. Core final status.
In spite of this catastrophic fuel situation and the significant transfer of radioactivity to
the containment, the immediate radiological consequences in the surrounding area were
minimal. Indeed, the containment fulfilled its role almost perfectly. Only the sump transfer
pumps were responsible for radioactive release for a limited period. This release, estimated at
13 million curies of xenon and about 10 curies of iodine (i.e. 5.105 and 0.4 TBq), had only
very limited consequences. It is estimated that an individual downwind at the edge of the site
throughout the accident would have received a dose of less than 1 mSv (100 mrem),
equivalent to the annual dose of natural radiation. The operating personnel received a slightly
higher, but still quite limited dose during the accident, and had to wear masks for a few hours
Three technicians received doses between 30 and 40 mSv (3–4 rems) during primary coolant
sample-taking operations. The collective dose received by the plant workers from the onset of
the accident to the end of fuel removal in 1989 is estimated at 60 man-Sv.
145
Accident analysis: direct causes and root causes
The first event of this scenario is the failure of the normal steam generators feedwater
system due to an human error during a minor maintenance activity. This demonstrates the
absolute need to reduce the occurrence of any type of abnormal event but the direct causes of
the core meltdown are to be searched a step forward and then two direct causes appear:
x The pressurizer relief valve stuck open;
x The emergency core cooling system was stopped by the operators.
Instead of focusing on these direct causes, the prevention of the reoccurrence of
equivalent events needs to identify and treat the actual root causes. A list of the major findings
is presented.
Design deficiencies
x The loss of normal feedwater which is an anticipated operating occurrence leads to the
opening of the pressurizer relief valve which is an other anticipated operating occurrence;
x A break in the steam phase of the pressurizer is not considered. There is no procedure to
identify and manage this event and the operating staff is not trained for it;
x The actuation of the emergency core cooling system does not actuate a complete
containment building isolation.
Man-machine interfaces
x Global control board weakness with, in particular indications of order instead of position
without specific warning, no alarm only at nominal power leading to a lot of alarms in any
shutdown condition and without any possibility to identify the initiating difficulties,
insufficient pressure and temperature indicators range;
x Existing emergency operating procedures difficult to use.
Multiple latent deficiencies (organization, maintenance, quality, ... )
x The pressurizer relief valve had been known to be leaking for a while but the repair work
was postponed so increasing the probability of a jammed open valve and depriving the
operators of a way to identify the valve situation: the temperature of the pressurizer relief
line;
x The closed connecting valves of the steam generators auxiliary feedwater system added a
complete loss of feed water system to the complete loss of emergency core cooling system
and focused the attention of the operating team;
x An effluent tank was leaking;
x The iodine filters in the auxiliary building had poor efficiency.
146
Global and collective excessive confidence (complacency)
This general attitude towards nuclear activities is not specific to this type of design or
to this operating organization but can be considered as widely spread world-wide at that
period. This can be seen by different signs:
x An accident more severe than a LOCA is not considered. No on-site accident management
is needed as well as any off-site emergency preparedness.
x Even design basis accidents are just considered as conventional. Then the emergency
operating procedures are difficult to use and relate only to the short term (mainly
automatic actions).
x Limited use of operating experience (precursor event at Davis Besse). Incidents without
actual consequences are considered as trivial and the practice of information exchange on
operation difficulties is not established.
Lessons learned
The first three lessons were the following, leading to a very large evolution of the
safety approach and significant improvement of the safety of a majority of plants.
Beyond design core conditions can occur resulting from multiple equipment or human
deficiencies.
A resistant and leak tight containment resulting from the implementation of the
defence in depth concept (3 levels) can be efficient to mitigate the radiological consequences
even in the case of most beyond design accidents.
Man is an essential element of safety.
Corrective actions
x Initiation of large cooperation programmes of research and development to improve the
knowledge available in core melt conditions and related conditions.
x Development of severe accident management related to severe cooling conditions
including containment isolation and surveillance, hydrogen explosion, containment
venting, basemat melt through.
x Large adaptation of the control-room tools in general ergonomic (position sensors,
enlarged indicators scales, primary coolant boiling monitor, ...), Alarm ranking, safety
parameter display system.
x Improvement of containment isolation.
x Consideration of the complete loss of redundant systems in safety analysis.
x Development of provisions for management of large quantities of radioactive effluents.
147
x Development of operating experience feedback structure within the operating company, at
national level and with the regulatory bodies; Exchange of information at international
level.
x Development and implementation of quality assurance programmes at NPPs.
x Improvement of operators training.
3.2.4. Periodic safety review, reassessment for renewing the operating licence — French
experience [22]
The Periodic Safety Review is a relatively new step in the licensing process. The first
publication of an IAEA safety guide on this topic occurred in 1994 with the Safety Guide 50SG-O12, Periodic Safety Review of Operational Nuclear Power Plants [24] and the good
practices in member countries are still in evolution.
This safety guide suggests a list of 11 factors: actual physical condition of the nuclear
power plant, safety analysis, equipment qualification, management of ageing, safety
performance, use of experience from other nuclear power plants and research findings,
procedures, organization and administration, human factors, emergency planning and
environmental impact.
Three main steps are suggested for the review procedure.
x Step 1: Assessment of current nuclear power plant safety that needs to obtain information
on all safety factors and to assess them by current methods and against current safety
standards and practices. This leads to a list of nuclear power plant strengths and
shortcomings for each safety factor.
x Step 2: Interim safety review based on existing information and expert judgement to
evaluate all shortcomings, fix their priority and assess the adequacy of remedial actions
and interim measures.
x Step 3: In-depth safety review based on analysis of available information, PSA insights
and expert judgement: evaluate all shortcomings, associated remedial actions and interim
measures and nuclear power plant strengths.
This methodology allows one to identify the resolved and the unresolved shortcomings,
to assess risks associated with all unresolved shortcomings and to reach a conclusion about
the final acceptable or unacceptable safety level of the plant.
Safety deficiencies detected by this process, are classified according to safety-related
relevance. The criterion in this respect is the extent of damage to the plant or its surroundings
associated with its estimated frequency. Following this, there are three assessment categories,
used in some countries, for the order of priority of corrective measures.
Category I: The extent of damage within and outside the plant and its estimated frequency
deduced from the deterministic and probabilistic analyses cannot be tolerated. The required
precautionary measures are no longer adequate. Immediate measures have to be taken.
148
Category II: The actual condition of the plant and its operating mode can limit the risk only to
a limited extent. The safety deficiencies identified endanger the fulfilment of criteria for
meeting the safety objectives. The probabilistic analysis indicates event sequences with
relatively high damage frequency or increasing extent of damage representing an imbalance of
the safety-related design or operating mode of the plant. Medium-term measures are required,
interim solutions may be necessary until their implementation.
Category III: The actual condition of the plant and its operating mode guarantee the necessary
precautions. The measures available fulfil the criteria for meeting the safety objectives. The
results of the probabilistic safety analysis confirm the balanced safety level of the plant The
non-conformance identified on the basis of the operating experience evaluation and the
comparison with the current level of the engineered safety features, however, indicate
possibilities for improving safety. Measures to improve the safety level have to be
implemented, if need be, considering the appropriateness of expenditure compared to the
increase in safety.
3.2.4.1. French periodic safety review practice
Since 1978, France had undertaken the safety review of all nuclear power plants which
had been operated for more than 10 years but without the systematic character that is now
understood under this wording. All of them but one (Phenix) have been shutdown for
economic reasons
Application of this practice to the first six 900 MW(e) PWR units at the Fessenheim
and Bugey plants was on a totally different scale. These plants went critical between 1977 and
1979 and are similar to the other 900 MW(e) units, the last of which were commissioned in
1987. They still have a long life span before them.
The Fessenheim and Bugey plant safety review represents a vast amount of work
undertaken over a period of 5 years, which does not include the actual implementation of
decisions made towards the end of the period. It began in 1987 with a discussion of the aims
and limits of the practice, providing useful guidelines for subsequent reviews.
Aims of safety reviews
In the French practice, plant safety assessment is a continuous process. The changes in
safety approach related to the consideration of complementary operating conditions and the
integration of severe accident procedures and resources have led to modification of all plants.
Operating feedback from France and abroad and analysis of incidents reported have also
resulted in the continuous adaptation of French plants. A plant safety review is consequently
complementary to the continuous safety enhancement process. It provides an opportunity to
identify aspects not dealt with in the latter context.
The idea of a plant safety review after about 10 years of service life has much in
common with that underlying the regulatory 10-yearly complete overhaul of the main primary
system, required by the regulations specific to these components. The main aims are as
follows:
149
x Obtain a complete operating record covering a significant period, integrating in-service
inspection results and accounting for the various transients undergone by the main primary
system, enabling notably comparisons with the design basis data;
x Compare the current safety level with the anticipated design basis level. this would be a
qualitative appraisal;
x Make sure that the operating feedback process is systematically applied;
x Ensure that general know-how advances have been put to good use and that the continuous
analysis and follow-up of plant safety has been effectively carried out;
x Identify ageing factors which could justify surveillance programme modifications or even
curtail plant lifetime;
x Identify significant design differences adopted for more recent units with respect to a
reference model;
x Estimate the safety feasibility and interest of any modifications to plants or operating
procedures, derived from the above comparison.
An additional objective of EDF was to stabilise the plant safety reference as at the end
of each review in order to prevent a continuous process, involving numerous modifications,
from having a negative safety impact.
The safety review of an old plant does not mean requiring it to comply systematically
with the most recent safety practices, but implies determining under what conditions it could
continue to operate. The safety characteristics of the most recent 900 MW(e) units, modified
as provided for at the beginning of the review were selected as the reference basis for review
of the earliest 900 MW(e) units.
Elements likely to have changed
The plants under review had all been subjected to the regulatory authorization
procedures in force at the relevant periods and had consequently undergone a safety
assessment. The purpose of the review is to identify factors liable to modify the conclusions of
these assessments. This leads us to the five areas discussed below.
Regulations and regulatory practice: In most cases, changes to regulations or in regulatory
practice explicitly exclude systematic retroaction, but there is nothing to prevent assessment
of the discrepancies with respect to the new texts in force.
Safety objectives and options:. Many changes have been seen in specific safety objectives and
options as the successive standardized plant series were defined. In particular, the list of
external hazards and the ways of dealing with them differ from those defined for the first
900 MW(e) PWR units. Also worth noting are the inclusion of complementary operating
conditions, the introduction of a state-oriented approach or the preparation for severe accident
management.
150
Operating feedback and enhancement of know-how: It would, of course, be superfluous to
dwell on the merits of operating feedback, but it is worth noting that safety study advances do
not necessarily lead to larger safety margins but often simply clarify their demonstration. As
tools are perfected, these margins may even, in some cases, be reduced. A characteristic
example would be the changes that have taken place in reinforced concrete structure design
methods, where substituting the elasto-plastic for the elastic structural design field enables
reduction of the real margins, which were also better understood. As regards ageing, the main
difficulty is to ensure that phenomena are accurately identified and monitored. Feedback on
simulator training for operators also provides much useful information, since the difficulties
evidenced during accident situation simulation have, fortunately, not been experienced on the
sites themselves.
Plant modifications: Many safety policy changes have, of course, led to plant modifications.
In harmony with the underlying homogeneous plant population approach, this modification
programme resulted in definition of an “end of series condition” for the CP1 and CP2 series of
900 MW(e) units, aimed at limiting but not precluding subsequent modifications. For the
Fessenheim and Bugey plants, the modification programme was aimed at upgrading, adapted
to the specific characteristics of these plants. These programmes have already resulted in
considerable changes to the plants, but without obliterating the main design differences
between the first 900 MW(e) plants (Fessenheim and Bugey) and the 28 units that followed
(CP1 and CP2 standardized series).
Plant environments: We have discussed the revised approach to dealing with external hazards
and the accompanying new investigations. Apart from these changes in practice, it is also
important to appraise changes in the environment itself and in our knowledge of them. This
may concern a wide range of topics, from air traffic density, to transport of explosive
substances and seismic hazards.
3.2.4.2. Fessenheim and Bugey plant safety reviews
It was theoretically possible to undertake an entirely new safety analysis for these units,
as if for a new standard series. But the results would doubtless not have justified the means
deployed. On the other hand, it was essential that no important topic be overlooked. An
overall approach had consequently to be adopted. So the review started with a fairly wide
range of topics, followed by gradual pruning where justified and using the CP1, CP2
standardized 900 MW(e) unit “end of series condition” as the reference model. Twelve main
topics were initially selected:
x
x
x
x
x
x
x
x
x
x
x
x
General principles.
Accident analyses.
External hazards.
Internal hazards.
Engineered safety systems.
Main primary system.
Secondary system.
Auxiliary systems.
Containment.
Instrumentation and control.
Reactor vessel internals.
General operating rules.
151
On the other hand, it was not deemed appropriate to change the accepted analysis
procedure for “generic” problems affecting all plants. This is the case, for example, for the
technical operating specifications, where the periodic revisions concerning Fessenheim and
Bugey are adapted to those of the other 900 MW(e) units and regularly analyzed prior to
approval by the DSIN, and for the internal emergency plans or the ageing monitoring
procedures dealt with in the context of the life span project.
Methods and means
Initially, no summary report was issued on the 900 MW(e) plant probabilistic safety
assessment, which in fact only partially applied to Fessenheim and Bugey. Probabilistic
assessment methods were consequently little used for the safety reviewing of these plants.
The 10-yearly outage, on the other hand, used to obtain a health check on the main
pressure vessels and the reactor containment, also provided an opportunity to rerun and
supplement certain overall functional tests
Some safety problems of which the authorities had been aware since initial start-up of
the plants were only dealt with in the context of the Fessenheim and Bugey safety reviews
rather than in that of operating feedback. The most characteristic example is the direct Rhone
or Rhine water supply to the containment spray system exchangers, with no intermediate
system. No incident occurred to call attention to this point and the primary fluid’s cooling
function following a primary system break had never been invoked. This configuration
nevertheless implies a possibility of direct transfer of radioactive substances to rivers in the
event of loss of heat exchanger integrity in certain accident situations. This also applies to
reassessment of seismic hazards and ways of dealing with them in plants built more than
15 years ago.
Scope of the review and examples of corrective measures
It is obvious that fundamental structural transformations, significantly modifying the
civil works or restructuring major systems are out of the question. Problems revealed by safety
reviews tend to be solved by local or generalised palliative measures. It should be borne in
mind that this approach had already been adopted for loss of redundant system situations. For
example, the complementary procedure resources enabling mutual backup between safety
injection and containment spray pumps or water injection in the core by external devices had
been permanently installed at the units concerned prior to the review under discussion. This is
not so for the CP1 and CP2 standardized 900 MW(e) units, where mobile devices are used.
This emergency core cooling scheme could offset various types of engineered safety system
inadequacy.
In what follows, we discuss the main implemented or planned transformations. They
derive from the EDF analysis, possibly supplemented by IPSN requests, which may have been
either directly accepted by the operating utility or transmitted via the DSIN after discussion
during the many meetings held by the Standing Group for reactors on the subject of the
Fessenheim and Bugey safety review.
152
Reassessment of seismic hazards: The maximum historically probable earthquakes (MHPE)
for the Fessenheim and Bugey sites were reassessed in the light of the new seismotectonic
map of France and earthquakes previously disregarded because of inadequate available data
(notably the 1356 earthquake at Basel in Switzerland), in compliance with the procedure
proposed in basic safety rule I.2.c. For the Bugey site and deep earthquakes affecting the
Fessenheim site, the bounding case resonator response spectra for characteristic MHPE’s fall
within the corresponding spectrum range for safe shutdown earthquakes (SSE) adopted for
plant design.
With regard to earth tremors near to Fessenheim, the possibility of the design basis
spectrum being exceeded for frequencies higher than 5 Hz was investigated in 1976 for the
electrical building and resulted in local reinforcements. The MHPE spectrum corresponding to
earthquakes near this site is amply bounded by the spectrum, abundant in high frequencies,
used for these investigations.
On the other hand, considering an earthquake as a credible event and not a load
combination implies examining the possibilities of safety classified equipment (designed to
withstand the relevant design basis earthquakes) being damaged by non-classified equipment.
This led to a number of further measures. Examples are the instructions given to operators to
interlock handling equipment in parked position when not in use. Checks on the seismic
resistance of certain non-classified equipment supporting elements also led to reinforcements.
Protection against off-site flooding hazards: The Fessenheim site is located below the Alsace
canal where the water level is 9.5 m higher than the site ground level. This is therefore an
exceptional case, resulting from incomplete investigation of site related hazards when the
plant was designed. Failure of the nearest dike upstream from the site is not included in the
design basis data. Its mechanical strength is consequently crucial and must be checked, taking
into consideration the reassessment of seismic hazards, the ageing of the dike structures and
any modifications they have undergone. Its seismic resistance has been checked during
previous safety inspections.
Fire protection: Further to generic fire hazard studies, an extensive programme was
implemented aimed at improving protection in this respect at the Fessenheim and Bugey
plants. It comprised:
x Redefinition of the fire areas to improve the separation of redundant train equipment;
x Identification and handling of cabling common point problems, after compiling a cable
file, indicating cable routing through the installation;
x Renovation of passive and active protection devices, such as doors, wall and floor
openings, fire stop panelling and seals, together with the water spraying equipment.
Protection against onsite flooding hazards: Whatever the origin of onsite flooding, provisions
as to surveillance, drainage systems, retention pits, raised mounting bases should be such that
the reactor can be shut down and held in a safe configuration and that any radiological
consequences can be limited. Examination of the Fessenheim and Bugey plants led to
corrective actions, such as the reworking or repair of flange seal faces and cladding and the
153
clearing of floor drains. Certain sills were raised and additional alarms were installed for sump
water detection.
System modifications
Containment spray system heat exchangers: In the design adopted for the plants built in
France, the containment spray system heat exchangers remove residual heat in the event of a
major primary break. At the Fessenheim and Bugey plants, these heat exchangers are directly
cooled by Rhine or Rhone water. They thus form the only barrier between the river water and
water which, after a loss of coolant accident, would be carrying substantial quantities of
radioactive products from the containment spray system. In all later plants, the containment
spray system is cooled by the component cooling system, itself cooled by off-site raw water.
The Fessenheim and Bugey plants are also equipped with a similar system, but isolation with
respect to the river water is only assured for systems used under normal operating conditions.
The installation of such a system could have been recommended for the containment spray
system heat exchangers, but owing to the technical difficulties involved, EDF preferred a
solution that was less satisfactory as regards principle, but nevertheless deemed acceptable. It
consisted in using heat exchangers where raw water circulates in 1 mm thick titanium tubes.
These exchangers are so designed that, in an accident situation, leakage risks would be
diminished by the slight lengthwise compression of the tubes. They can be entirely eddy
current inspected and are easy to clean on the raw waterside.
In addition, raw water activity monitoring downstream from each exchanger has been
improved, so that leaks would be detected and the contaminated train isolated. After a fairly
short period, a single heat exchanger is sufficient to remove reactor core residual heat which
rapidly decays. The advisability of automatic isolation of the polluted train was discussed, but
the risk induced by inadvertent isolation of a safeguard system was deemed to exceed the
benefit to be gained by automation.
Automatic switch over to recirculation: In the event of a major primary break, core cooling is
first assured by injection of water from the reactor cavity and spent fuel pit cooling and
treatment tank. When the low point in this tank is reached, the safety injection and
containment spray pumps it is supplying must take suction in the containment sumps which
collect water leaking from the primary system or resulting from containment spraying. At
Fessenheim and Bugey, this pump suction switch over was actuated by the operating team.
However, owing to the possibility of human error in this context, it was decided to automate
this action, bringing it into line with the other PWR plants.
Application of the single failure criterion: When the Fessenheim and Bugey plants were
designed, the principle of redundancy of safety-related systems was not so stringently applied
as for subsequent plants. When the Fessenheim and Bugey plant structural features were
examined in relation to application of the single failure criterion as defined in Basic Safety
Rule I.3.a, released in 1980, the following modifications were made: the containment
atmosphere monitoring system fans were duplicated, as also was the low head safety injection
system suction line. On the other hand, it was considered acceptable to have only one valve
regulating suction for the residual heat removal system because it is possible to offset refusal
of this valve to open by maintaining cooling via the steam generators.
154
As is clear from the previous examples, appraisal of the degree of risk influences
decisions, which are not solely based on strict application of regulatory or para-regulatory
texts.
Preparation for severe accident management
It was already mentioned that the Fessenheim and Bugey plants are permanently
equipped to implement the complementary ultimate provisions for core cooling in highly
disturbed situations. Another specific feature of the two Fessenheim units is the shallower
base mat. A survey is proceeding to investigate the possibility of installing refractory materials
in the reactor pits of these units to delay base mat penetration in the event of a core melt
accident.
Expected final result
The various changes implemented further to the Fessenheim and Bugey plant safety
reviews should bring their safety level closer to that of the other 900 MW(e) units. This
should facilitate subsequent inspections and simplify the introduction of any further changes
that could be adopted during safety reviews on other 900 MW(e) plants.
4. INSPECTION AND ENFORCEMENT BY THE REGULATORY BODY
4.1. IAEA GUIDANCE ON INSPECTION AND ENFORCEMENT5
Regulatory inspection and enforcement activities cover all areas of regulatory
responsibility. Inspections allow the regulatory body to satisfy itself that the operator is in
compliance with the conditions set out, for example, in the authorization or regulations. In
addition, the regulatory body shall take into account, as necessary, the activities of suppliers of
services and products to the operator. Enforcement actions are applied as necessary by the
regulatory body in the event of deviations or non-compliance with conditions and
requirements.
The principal objectives of regulatory inspection and enforcement are to provide a high
level of assurance that all activities performed by the operator during all the stages of the
authorization process and during all stages of the lifetime of a nuclear facility (siting, design,
construction, commissioning, operation and decommissioning or closure) are executed safely
and meet the safety objectives and licence conditions. Inspection is performed to check
independently the operator and the state of the facility, and to provide a high level of
confidence that operators are complying with the safety objectives prescribed or approved by
the regulatory body. This should be achieved by confirming that:
x All relevant laws, regulations and licence conditions, and all relevant codes, guides,
specifications and practices are complied with;
5
INTERNATIONAL ATOMIC ENERGY AGENCY, regulatory Inspection of Nuclear Facilities and
Enforcement by the Regulatory Body, Safety Standards Series No. GS-G-1.3 (in press).
155
x The operator has a strong and effective management, good safety culture and selfassessment systems for ensuring the safety of the facility and the protection of workers,
the public and the environment;
x The required quality and performance are achieved and maintained in the safety related
activities of the operator and in the structures, systems and components of the facility
throughout its lifetime;
x Sufficient numbers of personnel, who have the necessary competences for the efficient
and safe performance of their duties, are available at all times throughout all stages of the
facility’s lifetime;
x Deficiencies and abnormal conditions are identified and promptly evaluated and corrected
by the operator and duly reported to the regulatory body as required; and
x Any other safety issue that is neither specified in the authorization nor contained in the
regulation is identified and appropriately considered.
Regulatory inspection includes a range of planned and reactive inspections over the
lifetime of a nuclear facility and inspections of relevant parts of the operator’s organization
and contractors to ensure compliance with regulatory requirements.
Regulatory enforcement actions are actions to deal with non-compliance by the operator
with specified conditions and requirements. These actions are intended to modify or correct
any aspect of an operator’s procedures, and practices, or of a facility’s structures, systems or
components as necessary to ensure safety. Enforcement actions may also include the
imposition or recommendation of civil penalties and other sanctions.
The regulatory body has legal authority for conducting and co-ordinating its inspection
and enforcement responsibilities during the site evaluation, design, construction,
commissioning, operation, decommissioning or closure of nuclear facilities under its
authority.
With regard to inspection, the regulatory body shall has the authority:
x To establish regulations and issue guidance which, among other things, serve as the basis
for inspection;
x To enter the premises of any facility subject to the regulatory process at any time for the
purposes of inspections;
x To require preparation of, access to, and submission of reports and documents from
operators and their contractors when necessary;
x To seek the co-operation and support of other governmental bodies and consultants with
inspection related competence or qualifications; and
x To communicate information, findings, recommendations and conclusions from
inspections to other governmental bodies or interested parties, including high level
officials, as deemed appropriate in view of the significance of the issue.
With regard to enforcement, the regulatory body has the authority:
156
x To require the operator to take action to remedy deficiencies and prevent recurrence to
curtail activities or to shut down the facility when the results of inspection or another
regulatory assessments indicate that the protection of workers, the public and the
environment might be inadequate; and
x To impose or recommend civil penalties and other sanctions for non-compliance with
specified requirements.
The regulatory body has adequate powers and authority to enforce compliance with
its requirements and licence conditions, and has available a number of enforcement methods
to provide sufficient flexibility to implement the method best suited to the seriousness of the
violation and the urgency of corrective actions. The degree of authority of the regulatory
inspectors is clearly defined, and clear administrative procedures are adopted and
implemented.
The regulatory body, including a dedicated support organization if appropriate, has
staff capable of performing activities required by its inspection programme or, if outside
consultants are used, staff capable of adequately supervising the consultants’ work and
independently evaluating its quality and the results.
It is neither necessary nor practicable for the regulatory body to be entirely selfsufficient in all technical areas relating to inspection. It may therefore be necessary to use
consultants in specialized areas. It may occasionally be necessary owing to a heavy short term
workload to augment the regulatory body’s inspection staff with consultants having
knowledge and experience equivalent to that of the regulatory body’s inspection staff.
4.1.1. Regulatory inspection programme
The regulatory body establishes a planned and systematic inspection programme. The
extent to which inspection is performed in the regulatory process will depend upon the
potential magnitude and nature of the hazard associated with the facility or activity.
Specific responsibilities of the regulatory body in this regard include:
x Conducting planned inspections in all stages of the authorization process;
x Carrying out reactive inspections, if appropriate, in response to events, incidents or
accidents;
x Identifying and recommending necessary changes to the safety requirements approved by
the regulatory body, specified in the authorization or contained in the regulations;
x Preparing reports to document its inspection activities and findings;
x Verifying the operator’s compliance with regulatory requirements and otherwise
confirming continuous adherence to safety objectives;
x Ensuring that the operator has adequate, comprehensive and up-to-date information on the
status of the facility and for the demonstrating its safety, and a procedure to maintain this
information;
157
x Verifying that corrective actions have been undertaken by the operator to resolve safety
issues identified previously;
x Tracking recurrent problems and non-compliance;
x Developing such procedures and directives as may be necessary for the effective conduct
and administration of the inspection programme; and
x Determining and recommending suitable enforcement actions when non-conformance
with requirements is identified.
Regulatory inspection programmes are comprehensive and are developed within the
overall regulatory strategy. These programmes are thorough enough to provide a high level of
confidence that operators are in compliance with the regulatory requirements and are
identifying and solving all actual and potential problems in ensuring safety.
In order to establish or modify an inspection programme different methods may be used
when selecting the inspection areas and establishing priorities for the inspection programme.
The regulatory body should consider the following:
x The results of previous inspections;
x The safety analysis performed by the operator and the results of regulatory review and
assessment;
x Performance indicator programmes or any other systematic method for the assessment of
operator’s performance;
x Operational experience and lessons learned from the facility and other similar facilities as
well as results of research and development; and
x Inspection programmes of the regulatory bodies of other states.
The regulatory body has the capability to undertake inspection activities at any time as
necessitated by the normal operation or by any fault conditions or operator’s activities at the
facility.
The planning of the programme of inspections will also be influenced by the
geographical location of the regulatory body in relation to the facility to be inspected. In
particular it will depend on whether inspectors are permanently at the facility site (resident
inspectors) during one or more stages of the facility’s lifetime.
4.1.1.1. Types of inspections
The regulatory body conducts two general types of inspection, namely planned
inspections (including special inspections) and reactive inspections. Inspections may be
conducted by individuals or teams and may be announced or unannounced, as part of a general
programme or with specific aims.
Planned inspections are those carried out in fulfilment of, and in conformance with, a
structured and largely pre-arranged or baseline inspection programme developed by the
regulatory body. They may be linked to operator schedules for the performance or completion
158
of certain activities at all stages of the authorization process. They are scheduled in advance
by the regulatory body.
Special inspections may be carried out to consider specific issues that may be of interest
to the regulatory body, such as new research and development findings and experience from
other facilities. This type of inspection may range from a single inspector reviewing a specific
inspection area, to a team inspection of several inspectors reviewing several different
inspection areas.
Team inspections, which may be multidisciplinary, provide an in-depth independent and
balanced assessment of the operator’s performance. Team inspections are of particular value
once safety problems have been identified, since normal inspections cover only small samples
of operator’s activities in any particular area.
Reactive inspections, by individuals or teams, are usually initiated by the regulatory
body in response to an unexpected, unplanned or unusual situation or an incident, in order to
assess its significance and implications and the adequacy of corrective actions. The regulatory
body assumes the need for reactive inspections and plans its requirements for staff and
consultants accordingly.
4.1.1.2. Provision of guidance to inspectors
To ensure that all nuclear facilities in a country are inspected to a common standard and
that the level of safety is consistent, the regulatory body provides written guidance in
sufficient detail for its inspectors. The guidelines ensure a systematic and consistent approach
to inspection, allowing sufficient flexibility for inspectors to take the initiative in identifying
and addressing new concerns as they arise. Appropriate information and guidance are
provided to the inspectors concerned and each inspector is given adequate training in
following this guidance.
The authority vested in inspectors should oblige them to conduct themselves on-site in a
manner that inspires confidence and respect concerning their competence and integrity.
4.1.2. Inspection areas
Inspection by the regulatory body concentrates on areas of safety significance. The
stages of inspection covers: site evaluation, design and construction, commissioning,
operation and decommissioning. In the following key topics at each stage are covered. Table
XIV presents areas of nuclear facilities that may be of particular interest for inspection at
different stages of the authorization process.
4.1.3. Implementation of an inspection programme
The regulatory body has an overall plan for the programme of inspections that it will
undertake at a facility. In determining the intervals of inspections and the level of effort to be
applied, the regulatory body takes into account the relative significance for the safety of the
facility of each authorization stage and inspection area.
159
Particular aspects that need to be considered in determining the intervals of inspection in
the various areas and the level of inspection effort to be applied include:
x The safety significance of the issues;
x The inspection methods and approaches used (for example, the use of resident inspectors
may affect the frequency and intensity of inspections);
x The qualified personnel and other resources available to the operator;
x The performance record of the operator and the facility, including the number of
violations, deficiencies, incidents and problems encountered, and the number of reactive
inspections required;
x Results of regulatory review and assessment;
x The type of facility;
x The personnel and other resources available to the regulatory body.
x Results of previous inspections.
To facilitate management of the allocation of inspection resources, the regulatory body
develops a site specific inspection plan that takes into account the factors presented in
Table XIV. The inspection plans are recorded in such a way that can easily be modified to
take into account continuing activities, and they are reviewed periodically and adjusted as
necessary.
The inspection plan is flexible enough to permit inspectors to respond to particular
needs and situations. The regulatory body establishes a process of periodically evaluating
inspection findings, identifying generic issues and making arrangements to enable inspectors
from various plants, locations or projects to meet to exchange views and discuss the findings
and issues.
160
161
x
x
x
x
Safety related materials, SSCs meet the requirements established by
the regulatory body and conform to good practices;
Construction activities associated with manufacturing and installing
SSC items are conducted in accordance with regulatory requirements
and in conformity with general safety objectives.
The “as-built” configuration of SSCs is in conformity with the
assumptions made in the review and assessment; any deviation is
analyzed and justified, and the documentation is updated;
The operator’s system and procedures for quality assurance and
inspection are adequate to ensure the conformance of equipment to
the technical specifications.
The chief objectives of the regulatory inspection programme during the
design and construction of the facility are to verify that:
The design and construction stage
Before construction of the nuclear facility begins, the regulatory body
monitors as appropriate, through its inspection programme, site
preparation activities undertaken by the operator, including verification of
site characteristics and authorized excavation and earthwork. Specific
inspection objectives in these areas include verification that the operator is
undertaking siting activities in full conformity with existing regulatory
requirements and assurance that the site preparation work does not
proceed beyond that permitted by any authorization in force. During site
preparation, the regulatory body is also concerned with confirming that
the site characteristics remain consistent with the description presented by
the operator in its application and in the subsequent supporting
documentation submitted to the regulatory body.
The site evaluation stage
TABLE XIV. INSPECTION AREAS FOR NUCLEAR FACILITIES
Inspection by the regulatory body during the commissioning stage focuses
on four broad areas of the operator’s activity:
x Testing before introduction of fissile and radioactive material;
x Initial introduction of fissile and radioactive material;
x Testing of operations involving fissile and radioactive material; and
x Other commissioning activities.
Activities associated with commissioning will normally begin before
construction is completed. Accordingly, the regulatory body prepares to
inspect areas of commissioning activity in parallel with activities of the
construction phase. In some countries the regulatory body approves the
commissioning programme, and for advancing beyond certain hold points,
the regulatory body’s agreement has to be obtained.
The commissioning stage
The regulatory body inspects design and construction activities in a
number of areas in order to attain these objectives. In particular, the
following areas receive close attention in the construction stage:
x Mixing and placement of concrete and its reinforcement, especially in
foundations, and safety related structures, particularly containment
structures;
x Construction of cooling intake and discharge systems;
x Installation of safety related components, particularly containment
and shielding boundaries, internals of vessels which will contain
fissile and radioactive material, and equipment to be used in
radioactive areas.
x Installation of safety related control, protection and power systems;
x Areas of the facility that are inaccessible after construction is
completed, particularly systems and components embedded in the
foundation or building structure;
x Housekeeping in respect of safety related SSCs; and
x The quality assurance systems of the designer, manufacturer and
constructor.
162
In relation to the initial introduction of fissile and radioactive material,
regulatory inspection personnel are present at the facility site to observe:
x Tests of the main control room;
x Access control and radiation protection programme;
x Emergency preparedness and demonstration of the emergency plan;
x Systems for monitoring radioactive releases and meteorological
conditions;
The number and the key tests examined and directly witnessed by the
regulatory body will vary depending on the importance of the test for
safety. This may involve the regulatory body in inspecting tests of:
x Safety related systems (e.g. instrumentation and control systems,
shutdown systems and standby systems);
x The integrity of the containment and shielding boundaries (e.g.
hydraulic tests of pressurized structures) as appropriate;
x The susceptibility of SSCs to vibration or to other design loads;
x Secondary containment integrity (e.g. leak rate tests);
x Emergency power systems as appropriate;
x Communication capabilities;
x Ventilation systems; and
x Integrated cold and hot functional tests.
Testing before introduction of fissile and radioactive material
encompasses those activities and tests performed before the introduction
of fissile and radioactive material by the operator to demonstrate that
SSCs and components function properly and conform to design
requirements. The regulatory inspection programme includes:
x Examination of documented procedures to verify compliance with
review and assessment conclusions;
x Review of the implementation of these procedures;
x Direct observation of the performance of key pre-operational tests;
x Examination of the results of selected tests; and
x Confirmation of the integrity of any engineered barriers.
Distribution of fissile and radioactive material and checks on process
and/or criticality calculations; and
Systems involved in the handling of radiation or fissile material.
Other areas requiring inspection by the regulatory body during the
commissioning stage include:
x The ability of the operator’s management to progress from
construction to operation;
x Management’s provisions for putting the emergency plan into effect;
x Training and qualification of the operators;
x Hold points during the operational testing phase and into the full
operational phase are closely monitored.
Testing of operations involving fissile and radioactive material
encompasses operator activities up to nominal operating conditions:
x SSCs are tested to ensure that they have been constructed and
installed properly and are capable of functioning in accordance with
approved design requirements.
x Consideration is given to the performance of radiation surveys of
facility shielding (e.g. concrete walls) during facility start-up.
x The operator is carrying out tests at increasing operational levels; this
testing includes the recording; and analysis of data relating to
temperatures, pressures, radiation levels, flows and variations in
process parameters as well as other relevant parameters;
x The safety aspects of the operator’s procedures of operational tests
are examined and assessed as well as a sample of the test
documentation and results of the tests. Regulatory inspection also
involves monitoring and direct observation of several tests.
x
x
163
Operator’s training programme including simulator training: the
adequacy of the operator’s staff training programme is assessed
routinely to ensure that the training reflects actual facility conditions
and operator responses to abnormal events and emergency conditions.
Safety systems: a sampling review of safety systems is performed to
evaluate: any identified degraded equipment; discrepancies between
installed component/system hardware and the facility drawings;
controls for performing maintenance on equipment; and the quality of
performance of operations staff in log keeping and record keeping and
in routine monitoring of equipment.
x
x
The area of operations should include the control and execution of
activities directly related to operating a facility to the operating limits and
conditions established by regulatory requirements or by procedures or
specifications. Inspection personnel should perform safety verification of
control room activities and the abilities of the operations staff to discharge
their duties. To perform this safety verification, the following should be
carried out:
x Operating procedures: a sampling review of operating procedures,
including all those procedures for normal operations, abnormal or offnormal conditions, and emergency conditions, is performed.
Inspection focus on the operating personnel’s adherence to
procedures including limits and conditions for operation and should
also evaluate the usability and adequacy of the procedures.
The operation stage:
Once the facility has attained the authorized operation stage, the
regulatory body implements an inspection programme to verify
systematically the operator’s compliance with regulatory requirements and
conformance to general safety objectives, and to detect potential safety
problems.
Management: the management’s involvement in the facility and its
effectiveness in providing the appropriate attention to operational
issues, including abnormal events, is evaluated. Inspections consider
whether the organizational structure is suitable, if there are adequate
numbers of staff, how management and staff communicate, and how
management that emphasizes the importance of safety encourages a
good safety culture.
The decommissioning stage: During the decommissioning stage of a
nuclear facility, inspection activities, e.g. concentrate on: the adequacy of
the operator’s procedure for the control of each phase of
decommissioning; the removal of radioactive material; the
decontamination and dismantling activities; the waste management
strategy for the treatment, conditioning, storage and disposal of all
radioactive wastes; the physical condition of the facility especially the
surveillance of the integrity and/or availability of relevant SSCs.
Outages:
Inspection covers outage activities. In addition to providing opportunities
to observe modifications to the facility, outages provide opportunities to
observe activities in areas that are not always accessible during normal
operation. Before bringing back the facility to normal operation, it is usual
for the regulatory body to perform a special inspection. Topics requiring
specific attention include:
x Radiation protection;
x Maintenance, inspection and testing;
x Engineering;
x Modifications;
x Emergency preparedness;
x Security;
x Quality assurance programme;
x Effectiveness of management systems;
x
The operator notifies the regulatory body of its schedules for carrying out activities and
tests of regulatory interest and submits or makes available to the regulatory body the
procedures for these activities in a timely manner. To facilitate this process, the regulatory
body specifies well in advance to the operator which activities and tests it wishes to be
informed of.
4.1.3.1. Preparation of an inspection
Before an inspection is carried out the inspection personnel is thoroughly prepared for
the task. The preparation will depend on the type and method of inspection to be used.
Preparation may include a review of the following:
x
x
x
x
x
x
x
Regulatory requirements relating to the inspection area;
Past operating experience relating to the inspection area;
Previous inspection findings and enforcement actions relating to the inspection area;
Past correspondence between the regulator and the operator relating to the inspection area;
The safety analysis report and operating limits and conditions;
Documentation on operation and design for the facility;
Operator’s management procedures and quality assurance programme.
4.1.3.2. Methods of inspection
The inspection programme of the regulatory body incorporates and utilizes a variety of
methods as follows:
x
x
x
x
Monitoring and direct observation, such as working practices and equipment;
Discussions and interviews with the personnel of the operator and the contractor;
Examination of procedures, records and documentation; or
Tests and measurements.
4.1.3.3. Inspection reports and findings
A report of each regulatory inspection is written by the inspector(s) who conducted it.
The report is reviewed and approved according to established internal procedures.
The purposes of inspection reports are:
x To record the results of all inspection activities relating to safety or of regulatory
significance;
x To document and record an assessment of operator activities in relation to safety;
x To record relevant discussions held with facility staff, plant management and other
concerned persons;
x To provide a basis for notifying the operator of the inspection findings and of any
regulatory requirements, and to provide a record of any enforcement action taken;
x To record any findings or conclusions reached by inspectors;
x To record any recommendations by inspectors for future action by the operator or the
regulatory body, and to record progress on recommendations from previous inspection;
and
x To inform other members of the regulatory body;
x To contribute to maintaining institutional memory.
164
Inspection reports typically contain:
x
x
x
x
x
x
x
x
x
x
x
x
x
The facility, purpose and date of inspection, inspectors’ names;
The methods used in the inspection (interviews, observations, paper review etc.);
Reference to applicable regulations;
Criteria used in the assessment;
Details of facility areas, activities, processes, systems or components which have been
inspected, assessed or reviewed;
A record of actual or potential problems relating to safety;
A record of the results of any checks for compliance with the terms and conditions of the
authorization for the facility and applicable national laws;
A record of any deficiency or violation found during regulatory inspections, including a
record of what has been contravened;
A record of any regulatory action taken by inspectors and any consequent action taken by
the operator in the period covered by the report;
A record of discussions held with the facility’s staff, the operator’s managers and other
persons, including a record of discussions with facility staff, the operator’s managers
about points of concern;
A record of the inspectors’ opinion about the operator’s or relevant facility manager’s
response to any matter of concern drawn to their attention after a regulatory inspection;
A record of the findings or conclusions of the inspectors including corrective or
enforcement actions that should be taken;
A record of recommendations made by inspectors for future action, such as a need to
advise other inspectors or operators about particular problems, proposals for further
inspections or proposals for enforcement actions.
Distribution of inspection reports should be according to established procedures.
4.1.4. Enforcement actions
The regulatory body has statutory powers to enforce compliance with its requirements as
specified in the applicable regulations and in license conditions, including the authority to
require an operator to modify, correct or curtail any aspect of a facility's operation, procedures,
practices, systems, structures or components as necessary to ensure the required level of
safety. Within the legal framework under which it is established, the regulatory body may
develop and issue enabling regulations, detailing procedures for determining and exercising
enforcement actions as well as the rights and obligations of the operator.
Enforcement actions are designed to respond to non-compliance with specified
conditions and requirements. The action shall be commensurate with the seriousness of the
non-compliance. Thus there are different kinds of enforcement actions, from written warnings
to penalties and, ultimately, withdrawal of an authorization. In all cases the operator shall be
required to remedy the non-compliance, to perform a thorough investigation in accordance
with an agreed time-scale, and to take all necessary measures to prevent recurrence. The
regulatory body shall ensure that the operator has effectively implemented any remedial
actions.
165
The extent of the authority of the regulatory inspectors to take on the spot enforcement
actions shall be determined by the regulatory body. The degree of authority given to an
inspector may depend on the structure of the regulatory body and on the inspector'’ role and
experience. Where on the spot enforcement authority is not granted to individual inspectors,
the transmission of information to the regulatory body shall be suited to the urgency of the
situation so that necessary actions are taken in a timely manner; information shall be
transmitted immediately if the inspectors judge that the health and safety of workers or the
public are at risk, or the environment is endangered. Enforcement actions on the spot by
regulatory inspectors are appropriate only in unusual situations. In normal situations, decisions
regarding enforcement actions, particularly those involving fines, curtailment of activity or
suspension of authorization, should be approved by the regulatory body according to the
procedures established in each state.
4.1.4.1. Factors determining enforcement actions
A range of enforcement measures are available to the regulatory body, such as the
issuing of written warnings or directives, or orders to curtail activities, the modification or
revocation of licences or authorizations, and the imposition of penalties.
The factors to be taken into account by the regulatory body in deciding which
enforcement action is appropriate in each case include:
x The safety significance of the deficiency and the complexity of the correction that is
needed;
x The seriousness of the violation;
x Whether a violation of a less serious nature has been repeated;
x Whether there has been a deliberate or wilful violation of the limits and conditions
specified in the authorization or in regulations;
x Who identified and reported the non-conformance;
x The past performance of the operator and its related trend;
x The need for consistency and transparency in the treatment of operators.
4.1.4.2. Methods of enforcement
The main methods of enforcement actions are:
x
x
x
x
Written warnings or directives;
Orders to curtail specific activities;
Modification, suspension or revocation of the authorization;
Penalties.
The regulatory body has the authority to impose or recommend penalties, for example
fines on the operator, as a corporate body or individuals, or to institute prosecution through
the legal process, depending upon the legal system and authorization practices of the
countries. The use of penalties is usually reserved for serious violations, for repeated
violations of a less serious nature, or for deliberate and wilful non-compliance. Experience in
some countries is that imposing penalties on the organization rather than individual workers is
preferable and more likely to lead to improved safety performance.
166
The regulatory body has clear administrative procedures and guidelines governing the
use and implementation of enforcement actions. All inspectors and other regulatory body staff
should be trained in and knowledgeable about the procedures and guidelines.
If there is no immediate risk to safety, the regulatory body allows reasonable periods of
time for the operator to complete corrective action. These time periods reflect the seriousness
of the issue and the complexity of the corrective action required. However, an integrated
approach to safety considers the contribution to the total risk to the facility of each individual
deficiency needing corrective action.
All enforcement decisions shall be confirmed to the operator in writing. Internal records
of decisions relating to enforcement actions and any supporting documentation is kept in such
a way that can be easily accessible and retrieved when required.
The regulatory body has a system to audit, review and monitor all aspects of its
inspection and enforcement activities to ensure that they are being carried out in a suitable and
effective manner. The system ensures that any changes due to improvements in techniques or
otherwise, are implemented.
4.2. EXAMPLES OF SPECIFIC INSPECTIONS
4.2.1. Regulatory inspection in Finland
4.2.1.1. General arrangements for inspection
In Finland all nuclear power plants (two sites, four units) are in the operating stage.
This presentation concentrates on the regulatory inspections during operation. Radiation and
Nuclear Safety Authority (STUK) acts as the regulatory body for nuclear power plants in
Finland, i.e. as nuclear safety authority, radiation protection authority, pressure vessel
authority and nuclear material and safeguards authority.
Nuclear Energy and Radiation Protection Acts and Decrees define the regulatory
framework in Finland. General safety requirements are given in the Decisions by the State
Council (i.e. Cabinet of Ministers). A detailed technical and administrative instruction relative
to the design, construction, commissioning and operation of nuclear power plants are given in
the YVL guides published by the STUK. A detailed list of YVL guides is presented in
Appendix V. These guides form a practical basis for the regulatory work. In addition to the
YVL guides STUK has internal guides (YTV guides) which define inspection related
practices. The organization chart of STUK is given in Fig. 8.
The guide covering regulatory control of operating NPP’s contains reviews and
inspections which can be divided in three categories as follows:
x Periodic inspections as specified by STUK in plant specific programmes;
x Inspections of specific technical and other topics; and
x Safety re-assessment.
167
Periodic inspection programme
Inspections contained in the periodic inspection programme are focused on the power
company’s activities important to safety. The control aims to ensure compliance with the
regulations and the plans and programmes approved by STUK, and to assess the
appropriateness of the power company’s activities. In preparation for and in connection with
each inspection, examples of the results of the activities in question are reviewed.
Periodic inspection programme was renewed during 1998. STUK’s inspection
activities are focusing at licensee main working processes. The programme has three levels:
x Management of safety;
x Main working processes; and
x Inspections of the organizational units and specific technical areas.
Because of the renewal of the programme the number of inspections was reduced but
the scope of new inspections was enlarged.
Inspections of specific technical and other topics
Nuclear power plant operation includes activities which can be implemented only after
STUK’s approval of the activity has been granted. The approvals are tied to preceding
inspections. It is also verified afterwards that the implementation complies with the plans and
meets possible regulatory conditions. Requirements and obligations which apply to
inspections of different topics are presented in the YVL guides.
The inspections cover the following items: documents concerning operation;
competence of personnel; outage planning and execution; refuelling of reactors in-service
inspections done or contracted by the operating organization; in-service inspections as referred
to in the Decree on pressure vessels; repairs, modifications and preventive maintenance; postoutage plant start-up; procurement of nuclear fuel; safeguards; exemption of nuclear waste
from regulatory control.
The important inspections which the operating organization is obliged to request are
the inspections of repairs and modifications. For all the repairs of failed safety relevant
components, as well as for all modifications of the safety systems the operating organization
has to present their plans in advance for STUK approval. The plan has to include technical
documentation as needed to verify the acceptability of the functional features, structure, and
materials of the repaired or new equipment. Also the repair or installation method, quality
control, and tests after the work have to be presented. When the work has been completed, the
operating organization has to ask for construction and/or commissioning inspections.
Safety re-assessment
The safety level of the nuclear power plant is re-assessed after any abnormal event, and
the need for corrective measures is considered. To ensure a systematic analysis of the event
and its causes, an investigation team by STUK is nominated. The team has to find out root
causes of equipment failures and human errors and weaknesses in the performance of the
operating organization as a whole. At the end the team has to present a report including
168
recommendations for corrective actions, intended to prevent re-occurrence of similar events.
A similar parallel activity is required from the operating organization, and it has to submit its
special report for regulatory approval.
A thorough evaluation of the situation at the Finnish plants is also done if an event
reported from a foreign nuclear power plant is suspected to be of such a nature that it might as
well occur in our country. Besides feedback from the operating experience, safety reassessment is done on the basis of PSA studies and in view of new information gained from
safety research programmes.
4.2.1.2. Relationship between the regulatory body and operating organizations, enforcement
actions
In Finland it is emphasised that the licensee and in specific the manager of the
operating organization has the full responsibility for the safety of his plant. The responsibility
of the regulatory body is to define the safety requirements and to verify by inspections whether
these requirements are fulfilled.
An atmosphere of confidence and respect between the regulatory body and the
operating organization is regarded as necessary to achieve adequate information transfer for
inspection purposes.
The regulatory inspectors may at any time require information they find necessary for
their work, and they have access to all documents. They also have unhindered access to all
installations, offices, workshops, and stores. As needed, they may carry out own
measurements, take samples and install equipment necessary for supervision. If particular
problems occur during operation, the regulatory body requests the solutions to be proposed by
the operating organization. The regulatory body may indicate some constraints but it does not
suggest solutions. All the inspection activities are channelled through the operating
organization, and the regulatory body does not directly inspect suppliers (factories) and
contractors who work for the operating organization.
If needed, STUK has strong legal tools at its disposal. If the regulations or licence
conditions have not been observed, or if the safety is otherwise endangered, STUK may order
removal of the defect or the fault within the time specified. The order may be reinforced by a
conditionally imposed fine, or a threat to interrupt or limit the operation. STUK may also have
the deficiency fulfilled by some third organization at the expense of the operating
organization. If a defect or fault causes an immediate danger or cannot be removed within
given time, STUK may interrupt the operation or limit it in an appropriate manner. A police
authority shall provide executive assistance if needed.
Sanctions specified in the nuclear energy law for those who have deliberately or by
negligence committed a nuclear energy crime are very strong. In such situations the persons
would be prosecuted by a public prosecutor after having received the statement by STUK on
the matter.
The strong enforcement tools have not been used in practice. We think that for
achievement of a high safety level it is better to motivate people to do good work, rather than
to threaten them by fines or other penalties. Especially we want to avoid charges against
individuals who have made mistakes or have been shown to have shortcomings in training and
169
information provided to them. It is also recognized that the use of legal or monetary penalties
do not resolve the structural root causes of the problems.
Experience has shown that a very effective means of enforcement is to give the public
information about abnormal events at the nuclear power plants. If the plant safety is directly
endangered because of some fault, or if some previously unknown safety hazard is observed,
the STUK could demand plant shutdown on the basis of its own judgement. In practice, it is
enough to have a serious discussion with the plant manager who is responsible for the safety
of his plant. After such discussion the plant manager has always preferred making the
shutdown decision himself. One reason is that a shutdown ordered by STUK would be
negative for the public reputation of the operating organization.
4.2.1.3. Preparation for the inspections and reporting the results
Inspection planning
An annual inspection plan is made before the end of the year for the next year.
Experience from previous inspections, needs for development, large modifications and needed
settlements etc. may influence the inspection plan. In the annual plan a responsible unit is
mentioned. This plan does not hinder the inspectors from doing extra inspections if they are
needed. A specific annual focus area is presented by the management. The plan is submitted to
the licensee for information.
The inspections are performed according to the inspection procedures. The procedures
are general enough so that they do not bind the inspector too much but give the inspector also
some freedom to vary inspection topics and details. The procedures describe the area of
inspection, background information needed and methods of inspection.
Information is collected continuously for the planning of inspections such as:
x
x
x
x
x
x
x
Regulatory requirements and international standards;
Licensee QA manuals and instructions;
Results from previous inspections and audits;
Information from event investigations and root cause analyses;
Information from resident inspectors and other regulatory work;
Safety indicators;
Other information (e.g. international experience).
Through the analysis of information an initial assessment of the inspection area is
made and specific inspection topics can be chosen. In this phase time and resource allocation
is made.
For each inspection a detailed plan is made. The plan is based on the procedure and
specific topics to be covered in detail are mentioned. The plan also includes dates and times,
participating NPP units and participating inspectors. The plan will be sent to the NPP 1–
2 weeks before the inspection. Some topics can be inspected also without prior notice if that is
considered necessary.
170
The group will be nominated according to chosen inspection area and expertise needed.
The principle is that each person has an active role in the inspection. Each inspector has his or
her own sub-topic in the inspection.
The inspection begins with the start-up meeting with the licensee representatives.
During the meeting the inspection topics, schedule and inspection methods are discussed.
After the meeting the group will split up to review their own topics. During the inspection the
group has meetings to discuss about findings and to build up a general view on the area.
During the inspections that last for several days it is useful to have daily meetings with the
licensee representatives. At the end the results are compared to the set criteria. Conclusions
are written with justifications. The results of the findings and the general assessment of the
inspection area are presented to the licensee in the exit meeting.
Reporting the results
Minutes of the inspection are written and signed by the inspector and NPP counterpart.
Specific findings and remarks that need improvement and time schedule are mentioned if
needed. For the minutes and remarks there are specific forms that are filled in. In addition to
the minutes an inspection report is written. The report contains a summary part and
justification part. In the summary part the following headings are included:
x
x
x
x
Major findings which need corrective actions;
Practices where there is potential for improvement;
Development taken place since the previous inspection;
Remarks concerning management of safety.
In the justification part, findings and conclusions are justified and, in addition,
inspectors have freedom to handle the topics which they consider necessary to write down for
the future or for transferring information to colleagues.
After the inspection report has been written a decision of STUK is prepared by the
inspection group. The decision includes STUK’s requirements based on the findings made
during the inspection. It is presented to the management of the department of Nuclear Reactor
Regulation for approval. The decision is submitted to the licensee one month after the
inspection.
4.2.1.4. The structure of the periodic inspection programme
The periodic inspection program is divided into three different levels:
x Management of safety (A level);
x Main working processes (B level);
x Inspections of the organizational units and specific technical areas (C level).
The regulatory control aims to ensure compliance with the regulations and the plans
and programmes approved by STUK, and to assess the appropriateness of the power
company’s activities. Each inspection area has it’s own requirements that are set e.g. in the
Nuclear Energy Act, Nuclear Eergy Decree, Decisions by the Council of State, YVL-guides
and STUK’s decisions. Furthermore licensee has it’s own requirements set in the QA Manual
171
and procedures. These requirements form the inspection criteria against which the licensee
activities are reviewed in the periodic inspections. In each inspection area also the
functionality of QA system and competence and training of personnel as well as the adequacy
of resources are assessed.
Management of safety
The inspection concentrates on the management activities at the plant from safety point
of view. The aim is to find out the status of safety matters during decision making processes
when dealing with real life situations, plant documentation and future planning. Also the
capability to recognise safety matters will be assessed. The following issues are under this
inspection:
x Management principles;
x Safety policy;
x Safety goals, safety expectations from the personnel — procedures to commit the
personnel to goals and plans;
x The position and activities of management support groups;
x Procedures to develop and maintain safety culture;
x Follow-up of the overall performance.
The inspection will be carried out once every two years.
Main working processes
In these inspections attention will be paid on the main working processes at the plant.
The assessment concentrates on the work performance of different organizational units and to
the fulfilment of safety and quality related requirements. Special attention will be paid on:
x The appropriateness and performance of the methods and procedures used in the main
working processes;
x The interface between different working phases;
x The feedback included into the main working processes and the use of feedback in the
organization;
x The support functions for each main process (training, QA and documentation).
The main working processes at the plant are divided into three groups: safety
assessment and enhancement, operations and maintenance. Each group includes different parts
that support the main process. For example:
B1. Safety assessment and enhancement:
x
x
x
x
172
Correspondence to the changes in safety requirements;
Use of safety research results;
Operational experience feedback in the safety assessment and development;
Process of plant modifications.
B2. Operations:
x
x
x
x
Operation of the plant;
Surveillance of operation;
Control of disturbances;
Periodic testing.
B.3 Maintenance of the plant:
x
x
x
x
x
Maintenance;
Control of ageing;
Control of outages;
Procurement ;
Administrative control of work.
The specific inspection topics are chosen during the preparation of the inspection
taking into account the focus areas specified to each year. Each area will be inspected once a
year.
For example the inspection “safety assessment and enhancement” concentrates on the
activities to ensure, develop and maintain safe plant operation. One of the main areas is plant
modification processes and the inspection includes then the following issues:
x Capability to identify the need for modifications based on the operating experience, results
of safety research, results of safety assessment and analysis, and regulatory requirements;
x Design, implementation and commissioning of plant modifications and control of plant
documentation;
x Management activities to encourage personnel to make safety improvements and
allocation of resources.
Specific attention is paid to the resource allocation. Maintaining plant safety
presupposes that there are adequate resources in modification process (design and
implementation). The assessment of the adequacy of resources is done based on the operating
experience (designed and implemented modifications).
Inspections of the organizational units and specific technical areas
The goal of these inspections is to assess and verify the fulfilment of the set
requirements in organizational units and specific technical areas. At the same time these
inspections give valuable information to the level A and B inspections. The practical activities
are inspected against requirements and instructions. The status of the area is assessed as well
as the development activities and resources.
Inspections related to the organizational units and specific technical areas are the
following:
173
x
x
x
x
x
x
x
x
x
x
x
x
C1:
C2:
C3:
C4:
C5:
C6:
C7:
C8:
C9:
C10:
C11:
C12:
Safety systems and functions
Electricity and I&C technique
Mechanical components
Civil engineering and structures
Use of PSA and failure statistic
Information management
Chemistry
Nuclear waste management
Radiation protection
Fire protection
Emergency response arrangements and radiological safety of the environment
Physical protection.
These inspections will be performed once a year.
Evaluation of safety performance of licensee
Some countries have or are developing methods for evaluation of safety performance
of licensee on the basis of inspection results, operational safety related data, performance
indicators etc. Most famous is the US SALP method which suits well to large countries
having a lot of NPP’s for comparison. Small countries act mainly on individual basis and by
using case by case consideration. However, development of systematic means to provide
objective operational safety review would be ideal to support decision making.
STUK prepares an annual summary report on the results of periodic inspection
programme. In this report the following topics are included:
x Assessment concerning the safety of nuclear plants, licensee activities and identified areas
that need improvement;
x Assessment of the implementation of the inspection programme and possible
improvement areas;
x Improvement areas identified during STUK’s other activities.
In the assessment of management of safety, attention is paid to the safety significance
of individual findings and to the repetition of similar observations (for example common
cause failures or deficiencies which could result in common cause failures). The status of
plant safety, management of safety, QA and safety culture will be covered. The plant
modifications will be assessed as well. According to this assessment the corrective actions to
improve the plant safety are presented.
The report includes the summary of the implementation of the inspection programme
and the suggestions to improve the programme, inspection methods and internal procedures.
Possible correlation between the findings of STUK and licensee activities to improve the plant
safety will be assessed.
The annual report is handled by the offices and in the department meetings. In the
department meeting the measures to deal with possible corrective actions will be decided. The
report will be attached to the annual report of the department.
174
4.2.1.5. Incident investigation methods in Finland
Guidelines and criteria
Requirements relating operating experience are presented in the legislation and exactly
in the Decisions of the Council of State on the general regulations for the safety of nuclear
power plants. According to the requirements operating experience from nuclear power plants
shall be systematically followed and assessed. For further safety enhancement, actions shall be
taken which can be regarded as justified considering operating experience and results of safety
research as well as the advancement of science and technology. Guide YVL 1.9 “Quality
assurance during operation of nuclear power plants” presents requirements relating to incident
investigation. Guide YVL 1.11 “Operating experience feedback” presents the detailed
requirements and practices relating guide YVL 1.5 “Reporting nuclear plant operation to
STUK”. The reporting criteria can be divided into tree main categories: immediate, regular
and incident reports:
Immediate reporting
A licensee shall report by telephone without delay all emergencies and incidents
assessed to be of interest in Finland or abroad. Emergencies are events during which plant
safety may be or is significantly compromised.
Regular reports concerning specially information of incidents are:
x Daily reports contain plant operational data, faults in safety-significant structures, systems
and components;
x Quarterly reports contain e.g. summaries of the operational data and incidents;
x Outage reports contain e.g. the important incidents, the significant deficiencies and faults
observed during periodic tests and inspections;
x Semi-annual reports concerning feedback on operating experience a summary of activities
which power company has done based on operating experience gained at own and at other
nuclear facilities. The report describes all significant operational events which have been
dealt with and also their handling phases. It also describes the corrective measures already
implemented and decisions of corrective actions, which will be carried out later.
Incident reports
x Special reports contain all safety significance incidents and faults. The guide YVL 1.5
gives examples of events which meet the above mentioned criteria. Special reports are
submitted in two weeks.
x Root cause analysis report: both utilities have developed root cause analysis methods to
investigate the most important incidents. The root cause analysis report shall be submitted
in four months from the event to STUK for information. In the root cause analysis reports
the licensee gives detailed information on root causes and corrective actions.
175
x Reactor scram reports and operational transient reports are sent in one month. Such events
are i.e. events which include a forced reactor or generator power decrease.
IRS system
STUK is a national body in the IRS-system maintained by IAEA and NEA. STUK
sends all received IRS-reports to the Finnish power utilities for evaluation. STUK prepares all
Finnish IRS-reports and sends them to IAEA and NEA.
Responsibilities for incident investigation
The fundamental principle is that the licensees analyze their own operational events
and send the results to STUK for information. STUK may conduct an independent analysis of
its own if the utility’s organization has not performed as planned during an event, and when
an incident is judged to result in significant modifications in the plant technical design or
instructions. An examination can also be launched when the utility’s analysis is considered
deficient or STUK’s investigation is assessed to have a positive impact on safety. In special
cases, the examination can also be carried out jointly with the utility. An example of such
joint-examination is an event for which there were problems in communication and in cooperation between the authority and the licensee.
All reports received from domestic facilities are processed by STUK and the manner of
handling depends on the report type and the safety significance of the event. When a report or
a piece of important information reaches STUK it will first be assessed whether the event
requires immediate action by STUK. The matters to be assessed are i.e. prerequisites to
continue operation of the plant.
Incident investigation methods and practices
Both Finnish nuclear utilities have established procedures for the follow-up of
domestic and foreign operational events. It is important that the utilities fully analyze
operational events at their plants and carry out the necessary corrective actions. It is also
important that the lessons learned from operational events abroad are implemented.
Event investigation in Finland is based on legislation. Guide YVL 1.11 requires that a
licensee examines all operational events which have safety significance, using a sophisticated
root cause analysis method if an event’s root causes are not evident. Both Finnish utilities
have their own methods for root cause determination.
It is important to specify the correct root causes. Root cause is a cause without which
the event would not have taken place. After the elimination of the underlying root cause the
recurrence of the incident can be reliably prevented.
The facilities have designated their own personnel responsible for operational
experience feedback and also employ also external experts. A nominated group of inspectors
in STUK supported by the rest of STUK organization takes care of the operational experience
function, reporting of incidents and co-ordination of IRS-function.
176
STUK inspects and assesses, that the procedures and the activity in power utilities
meet the requirements set by STUK. The inspection of instructions and procedures are carried
out in STUK’s office and the inspection of the activity of the utilities at the plant site.
Incident register in STUK
The incident registration form has been developed in STUK. All forms containing only
the most important events are fed into the computerised database. The database contains
events as follows:
x Events of which special reports have been written;
x Operational transients with deficiencies in the operation of the utility’s organization;
x Operational transients which have caused substantial modifications in plant structures or
instructions;
x Events with multiple faults in components of one or of several systems.
.
4.2.1.6. Regulatory inspections related to plant modifications
Perhaps the most important inspections the operating organization is obliged to request
are the inspections of repairs and modifications. For all the repairs of failed safety relevant
components, as well as for all modifications of the safety systems the operating organization
has to present their plans in advance for STUK approval. The plan includes technical
documentation as needed to verify the acceptability of the functional features, structure and
materials of the repaired or new equipment. Also the repair or installation method, quality
control, and tests after the work are presented. When the work has been completed, the
operating organization has to ask for construction and/or commissioning inspections.
General requirements
The guide YVL 1.8 presents in detail how STUK regulates the repairs, modifications
and preventive maintenance of systems, components and structures at nuclear installations
during operation. The guide further describes the obligations related to this work imposed on
licensees. Further component specific requirements can be found in other YVL guides.
Before implementation of any structural modification in the safety related systems, the
construction plans are submitted to STUK for approval. If a modification is extensive and
affects the basis of or the prerequisites for an issued operating licence, an application for the
modification shall be filed with the Ministry of Trade and Industry.
According to the guide YVL 1.8, the licensee shall, for purposes of repairs,
modifications and preventive maintenance:
x Have clearly defined administrative controls and related instructions for the design,
implementation and testing of these activities;
177
x Employ competent personnel and take care of the necessary training and job orientation,
adequate working instructions and appropriate working tools;
x Arrange for the nuclear power plant’s systems, components and structures to be regularly
serviced and the associated tests to be duly conducted;
x Have an established failure report and work request system.
The work order/work permit contains requirements and restrictions relating to the
technical specifications, radiation protection, fire protection and occupational safety and
health.
The licensee shall see to it that the requirements approved by STUK as regards
radiation, physical and fire protection are complied with in repairs, modifications and
preventive maintenance during outages as well as during operation. If a deviation from these
requirements is anticipated regarding a specific task, plans concerning the deviation in
question shall be submitted to STUK for approval prior to the commencement of work.
The licensees have a document updating systems which ensure the validity of
documents for use. For a modification, documentation describing plant layout and documents
which affect plant operation, such as the final safety analysis report, systems descriptions,
process, electrical and instrument diagrams, operating instructions and the technical
specifications etc. need to be updated without delay.
System modifications
A system pre-inspection is carried out in the form of a review of the preliminary and
final safety analysis reports and the related topical reports during the construction phase.
During the operation of a nuclear installation, a system pre-inspection can be conducted on the
basis of separate system pre-inspection documentation before the final safety analysis report is
changed. Pre-inspection documents shall be submitted to STUK for approval at least
concerning the modification of systems in safety classes 1, 2 and 3 as well as the modification
of systems STUK has earlier requested inspection for other reasons. Modification of systems
inspected by STUK earlier are submitted to STUK at least for information. Also an individual
component modification which significantly changes a system’s operation or its operating
parameters is considered a system modification.
The safety assessment of system modification is described in 3.3.2.3.
Mechanical components and structures
Control of repairs, modifications and preventive maintenance of mechanical
components and structures is carried out in accordance with the relevant YVL guides. A
construction plan for repairs and modifications of mechanical components and structures is
submitted according to the appropriate YVL guides. For repairs and modifications,
information and reports are included in the construction plan. Furthermore, the grounds for a
repair or a modification are stated and justified.
178
STUK’s inspector may approve a minor repair and modification plan at the plant if the
system’s operational parameters are not changed and the assignment in question can be
considered conventional. In decisions relating to construction plans, STUK’s inspector may
present requirements concerning work-related permits as well as control of work and
inspections. A special construction plan is not required for the carrying out of preventive
maintenance operations if they can be carried out in compliance with regular maintenance
instructions and if approved spare parts and accessories are used.
Repair and modification of mechanical components and structures may be commenced
only after their construction plans have been approved and the requirements concerning the
commencement and control of work, as provided in decisions, have been met.
The repair, modification and preventive maintenance of mechanical components and
structures are subject to inspection. The inspection is usually conducted by STUK’s inspector.
On application, STUK may authorize a utility employee to carry out inspections to an extent
approved by STUK.
The licensee is responsible for maintaining register of repairs and modifications of
specific mechanical components and structures, individual component replacements included.
The licensee shall provide a summary report of any extensive preventive maintenance actions
such as the maintenance of diesel generators, control rod drives and main circulation pumps in
which any observations and maintenance work are accounted for.
After maintenance or modification, a component or a structure is subjected to a
performance test which corresponds to at least a periodic test and by which its operability is
ensured. In connection with system modifications, the test run programme and results shall be
submitted to STUK for approval.
Permits relating to the commissioning of a mechanical component or structure are
reviewed as part of the construction inspection of repairs, modifications and preventive
maintenance. A prerequisite for the commissioning of a mechanical component or structure is
that it has been declared to be ready for operation.
4.2.2. Examples of specific inspections — German practices
4.2.2.1. Supervision of construction and operation by authorities [17]
Function of state supervision
Both the construction and the operation of a nuclear facility are subject to supervision
by the respective nuclear supervisory authority responsible which is to check upon compliance
with licensing prerequisites, requirements and provisions of the licences and other legislative
rules. For this purpose, representatives of the supervisory authority or experts consulted have
the right to enter the facility at any time and have access to any necessary information from
the operator.
For this purpose, the operator submits information operating reports to the authority at
regular intervals and notifies the authority of reportable events according to the nuclear safety
officer and reporting ordinance, in particular of any excess of fixed operating parameters
(limiting values) and advises each change in personnel responsible for operation management
179
and control as well as all results of in-service inspections. In the case of special events as with
the case of important in-service inspections, the experts consulted in the licensing procedure
are also called upon during the supervisory procedure by order of the supervisory authority.
There are three different decision categories for modifications of the plant:
x The modification is subject to a licence by the licensing authority;
x The modification requires approval by the supervisory authority;
x The modification can be performed by the operator and is to be reported to the supervisory
authority.
Supervision of construction
The experts consulted by the licensing authority are entrusted with the inspections of
the layout of nuclear facilities and pertinent systems and components as well as accompanying
control during construction. The accompanying control consists of examining the documents
of the manufacturer or applicant by using regulatory works, specifications and possible
additional conditions imposed by the licensing authority with regard to compliance with
requirements (stated as documents review and approval) as well as compliance of the
components or a system with the previously reviewed documents in the course of the inprocess surveillance. This examination is denoted as source surveillance or quality control
inspection.
The applicant for a licence for the construction and operation of a nuclear plant has to
take the necessary precautions against damage due to construction and operation of the plant.
This includes the assurance of the required quality of plant components. The applicant must
ensure the required quality assurance measures to be taken by the plant vendors and
manufacturers. The quality assurance activities by the authority or the experts consulted do not
replace the quality assurance measures of the applicant or manufacturer.
Thus, the quality assurance (QA) for construction and operation of a nuclear plant
consists of the following parts:
x QA of the applicant.
x QA of the plant vendor.
x QA of the manufacturer for products, components and systems.
The accompanying control is required for all safety-relevant systems and components
as regards nuclear power plants e.g. for:
x Reactor pressure vessel with internals including fuel elements and control rods;
x All other components pressurised with primary coolant (e.g. steam generator, pressurised,
reactor coolant pumps, reactor coolant lines);
x All components pressurised with radioactive fluids;
x Items pressurised in the secondary system;
x Containment;
x Main steam and feed water pipes;
x Reactor protection system;
x Instrumentation and control systems;
180
x
x
x
x
Refuelling and transport equipment for control rods and fuel elements;
Emergency power supply systems;
Lifting and load-carrying equipment;
Physical protections systems.
The scope of the accompanying control is graduated according to the safety-related
relevance of the respective components and systems. It ranges from a 100% surveillance (for
primary system components of an NPP) to that of a conventional regulatory work; in this case,
however, under consideration of special nuclear particulars such as radiation safety.
Qualification examination
For a NPP, e.g. the qualification examination comprises the safety-related assessment
for the following:
x
x
x
x
x
x
x
x
x
x
Design layout;
Strength calculation;
Construction material and other materials;
Manufacturing process;
Manufacturing documents;
Circuit design;
Feasibility of in-service inspections;
Maintenance and inspection possibilities;
Accessibility for repairs;
Plant instrumentation.
The documents from the manufacturers or the applicant are examined with regard to
their compliance with the requirements. These documents are denoted as documents for
approval (vorprufunterlagen — vpu). The following documents are submitted to the inspector:
x
x
x
x
x
x
x
x
x
x
x
x
x
Drawings;
Items of materials (bills of material);
Calculation documents;
Weld location lists;
Inspection plans;
Welding plans;
Heat treatment plans;
Lists on production weld tests;
Materials testing and sampling plans;
Examination procedure for non-destructive tests;
Pressure test plans;
Measurement procedures;
Plans for in-service inspections.
The scope of the documents to be submitted is stipulated in the regulatory work or the
specifications examined by the expert. The inspector examines the documents for approval
with regard to completeness and compliance with the rules and specifications. There are three
181
items for which criteria are to be stated exemplary, which the inspector carries out the
document review and approval against.
Design layout: The design is assessed with respect to conformance with requirements with
regard to functioning, stress, material, examinability and manufacturing as well as ease of
maintenance.
Manufacturing process: This is examined whether or not the necessary prerequisites and
qualifications (necessary manufacturing and testing devices, qualified technical personnel,
procedure tests for forming and welding) have been met.
Test procedure for non-destructive tests: The compliance with the specified requirements, the
suitability of the intended test procedure and the documentation of the test results are
controlled. If changes in the documents are required after they have been considered by TÜV
(e.g. due to alterations of a welding procedure or due to design modifications) a new
document review and approval will be necessary.
Manufacturing surveillance
Manufacturing surveillance means the examination of a component, a system or a
structural component with regard to agreement with the documents reviewed and approved by
the inspector.
Examination of the manufacturing prerequisites: Prior to manufacturing, the manufacturer has
to furnish proof to the inspector that he has suitable equipment (for manufacturing, testing,
transport and handling) suitable technical personnel for the manufacturing process (qualified
welders), supervision (welding and examination supervision) and tests (material testing and
non-destructive tests) at his disposal and that independence of the tests (independent quality
assurance organization, authorized workshop inspector) is ensured. Only materials and weld
filler materials inspected by the expert may be used. Information on experience with the
intended materials and results from tests carried out regularly for the assessment of the
manufacturing quality are reviewed by the inspector. The proposed manufacturing procedures
(welding, forming) are to be qualified by procedure qualification tests. In addition to the
review of documents, the inspector ascertains the existence of the items described at the plant
of the manufacturer.
Inspection during manufacturing: During manufacturing of product forms, the following
inspection activities are provided:
x
x
x
x
x
x
x
x
182
Surveillance of heat treatments;
Surveillance of mechanical testing;
Performance of or participation in non-destructive tests;
Visual examination and measurement controls;
Control of all test results, also of the manufacturer;
Review of documentation compiled by the manufacturer;
Final stamp on parts after successful finishing of all testing;
Issuing of an inspection certificate.
In the course of manufacturing surveillance of components at the plant of manufacturer
following inspections and controls are carried out by the inspectors:
x
x
x
x
x
x
x
x
x
x
x
Receiving inspection of product forms or component parts;
Welding material tests for welding material;
Welding surveillance;
Surveillance of heat treatments;
Non-destructive tests;
Production weld tests for welding work;
Examination of production monitoring test samples;
Visual examination and measurement controls;
Tests on unfinished structures;
Pressure tests;
Final inspections.
During the final inspection, the inspector has to review the following:
x
x
x
x
All records with regard to completeness and validity of the audit trails for future use;
The specified characterisation of components;
The completeness of manufacturing documents;
The safety-relevant dimensions established during document review and approval.
In the event of a positive result, the inspector marks the component with a stamp of
approval and issues a final inspection and pressure test certificate.
Basically, the manufacturing surveillance on the construction site or in the power plant
is the same as the manufacturing surveillance of components at the plant of the manufacturer.
After completion or installation of the systems and components, it is demonstrated by a
functional test in the presence of the inspector that the set of requirements is fulfilled.
In the case of non-conformance with requirements the inspector makes a decision in
the course of the accompanying control. There are three categories of non-conformance:
x Category 1: Non-conformance which can be eliminated by re-examinations or reworking.
examples of non-conformance are poor restart during welding, surface imperfections with
minor surface cavities, negligible non-conformance of specified heat treatment parameters.
No special report is required for these examples of non-conformance.
x Category 2: Non-conformance which can be eliminated according to standard repair plans
or plans on the basis of existing process engineering control. These plans may already
have been submitted and reviewed during the documents review and approval. Examples
for it are material imperfections or imperfections of weld joints with unknown cause and
which are repaired before final heat treatment of component parts. Each non-conformance
is recorded by the inspector in a non-conformance report.
x Category 3: Non-conformance which cannot be assigned to category 1 or 2 are, e.g.
systematic discontinuities, cracks, non-conformances that fall outside tolerance bands and
indications detected after final heat treatment. The further procedure is submitted to the
inspector for each individual case in a non-conformance report. For non-conformance in
183
category 3 the inspector decides whether or not the non-conformance can be tolerated with
or without additional conditions, whether and how repair is feasible, and whether or not
the plant component has to be rejected.
Supervision of operation
Plant inspections: The supervisory authority or experts assigned by it carry out plant
inspections at irregular intervals. The deficiencies determined during such inspections have to
be removed according to their safety-related relevance immediately or within set time limits.
The tasks to be performed during plant inspection are:
Visual inspection of the plant;
Review of the operating records kept by the plant operator;
Examination of adherence to the rules of the instruction manual and safety specifications;
Control of the presence of the stipulated operating and supervisory personnel;
Control of the measuring instruments for contamination and radiation;
Measurements of the local dose rate within the plant and on the plant grounds,
Contamination measurements in the equipment rooms;
Functional tests of the radioactivity monitoring systems of the vent stack and the
Waste water transfer station;
Control of the ventilation systems (differential pressures, volumetric, flow rates, filterload
status);
x Control of the fire protection measures (escape and emergency routes);
x Control of physical protection systems (fence monitoring system, lighting, intrusion
protection).
x
x
x
x
x
x
x
x
x
x
Preventive maintenance: In many non-nuclear facilities components and plant equipment are
operated until they break down. Only then will they be repaired or replaced. This method,
however, can only be applied in cases where safety-related considerations play a minor role. In
nuclear facilities, this method is not applicable.
Inspection and upkeep on the one hand, and repairs on the other are parts of
maintenance. Inspection consists of measures for determining and assessing the actual
condition; upkeep consists of measures for keeping the required condition of systems and
components reliable. Repairs means the restoration to the required condition if it does not
comply with the actual condition. Upkeep and inspection together are also called preventive
maintenance.
The expression “preventive maintenance” implies that it is a matter of acting
preventively and not wafting until parts or entire components fail. In-service inspections
(wiederkehrende Pruefungen — WKP) are a part of the inspections which are to be performed
at regular intervals by the plant operator according to legal regulations or the requirements of
the licence. It concerns, in particular, inspections of safely-relevant plant equipment. These are
in general the equipment required e.g. to shut down the reactor safely at any time and keep it
in the shutdown condition, remove the residual heat and prevent radioactive substances from
being released into the environment.
While in-service inspections are regulated to a large extent by uniform federal
standards, the other inspections as well as maintenance work are mainly planned and
184
performed as the responsibility of the operator. This, however, does not mean that it is left up
to the operator whether such work is done at all. For this reason, the operating licences for
nuclear power plants in Germany generally include requirements that demand maintenance
and inspections as well as in-service inspections. The way in which these requirements are
met by the operator is described in many cases in a quality assurance programme which is to
be submitted to the expert consulted for review and to the licensing or supervisory authority
for approval.
In many cases, the necessary in-plant procedures for maintenance and inspection are
comprised in a maintenance manual. The manual contains all necessary information for the
maintenance personnel of the operator regarding the maintenance and inspection work to be
performed at the plant. It contains a description of the maintenance concept including
maintenance details, the maintenance list and instructions.
In the first part, the general part, instructions are given for the use of the manual. In
addition, an outline is given, and the principles of preventive maintenance are explained.
Further, this part contains general technical standards.
The second part of the manual includes the maintenance list. This is a listing of all
components which are subject to preventive maintenance in the narrow sense. Additionally,
there are data given on maintenance measures, the maintenance intervals and times set for the
carrying out the maintenance work. Components of importance to safety or security are stated
specifically.
The third part of the manual includes the maintenance instructions. These are written
according to the specifications of the manufacturer and are also based on operating experience
of organizational units of the operator responsible for the systems (mechanical engineering,
electrical engineering, instrumentation and control, physics). The instructions specify the work
to be done and offer guidance for record keeping.
The performance of maintenance work is either the duty of a specially organized
maintenance unit or it is done by the organizational units responsible for the systems
mentioned above. According to the stipulations of the maintenance list the expert is consulted
for the maintenance work.
Reportable events: The recording and classification of reportable events is done with the help
of reporting criteria and report forms. The report criteria are defined to a large extent by
technical specifications of the nuclear facility and the legal situation in Germany. Therefore,
the criteria cannot be applied without further ado in other countries with other technical and
legal preconditions.
The reporting criteria are an important instrument in the exercise of functions within
the scope of supervision of nuclear facilities by the authorities. Further, they serve the purpose
of globally using the experience feedback from different plants. In the reporting procedure
time limits are set for reporting so that the supervisory authority is able to react quickly in case
of an incident. Moreover, requirements are stated regarding the contents of the notifications
the aim being to inform the supervisory authority precisely and comprehensively.
The reportable events are specified by the reporting criteria and subdivided into
categories. In Germany there are four reporting categories (S, E, N and V) which are graded
185
according to the time limits set for reporting. Category S has the shortest time limit and N the
longest.
Category S (immediate report): Events that have to be reported immediately to the
supervisory authority in order that the authority, if need be, can arrange for inspections or
measures to be taken within the shortest possible time. This category includes, among other
things events showing safety-related deficiencies which have to be removed very soon.
Reporting Period for Category S is: Immediately upon detection by telephone or telex;
information or corrections of the notification, if need be, at the latest on the fifth working day
after detection on a report form.
Category E (urgent report): Events that have to be reported to the supervisory authority
within 24 hours so that the authority, if need be, can arrange for inspections to be made or
measures to be taken within a short period. This also comprises events the causes of which
have to be identified in the short term and eliminated, if necessary, within a reasonable time
for safety reasons. In general, this concerns events potentially, but not (directly, of safety
significance. Reporting Period for Category E is: at the latest 24 hours after detection by
telephone or by telex; detailed information or corrections of the notification, if need be, at the
latest on the fifth working day after detection on a report form.
Category N (normal report): Events which have to be reported to the supervisory
authority to enable the detection of potential safety-related weak points. In general, this
concerns events of little importance for the safety which exceed the usual operational events
under normal plant status and operational modes. Reporting Period for Category N is: at the
latest on the fifth working day after detection on a report form.
4.2.2.2. Inspection practices in Germany
Arrangements for inspection and inspector’s rights of entry
Due to the large hazard potential nuclear power plants are subject to strict state
supervision. This supervision includes the construction and operation of the facility, the
handling of radioactive materials, i.e. their procurement, storage, processing and disposal, as
well as modifications of the plant and its operation, and also its decommissioning.
An administrative body which grants licenses and permits to applicants must ensure,
that the responsible persons of the facility adhere to these permits, their regulations and
requirements. For this purpose it is necessary to have an appropriate legal basis that meets the
inspector’s requirements.
Regarding the implementation of the Atomic Energy Act in Germany (AtG), experts
are involved on a large scale in nuclear inspection, in accordance with the AtG. The
responsible authorities constantly have to clarify and check very complicated technical issues
in connection with different measures of the supervisory procedure to see whether damage
prevention measures or the required defence against danger are realised. Many expert
organizations have the depth of specialist knowledge to offer to the authorities. Although the
involved experts only act as assistants to the authorities and have no decision-making power
whatsoever, they do actually play a significant role, since the authorities sometimes pass farreaching decisions depending on their experts` comments.
186
The authorities and their experts have the power to inspect what they deem necessary.
Inspection includes checking for compliance with the AtG, the ordinances, the specifications
and allowances, and thus for example;
x Decide on appropriate measures to check for ageing;
x Take measurements, such as functional data of valves, release of activity;
x Seize or demand records for closer scrutiny, consulting other experts additionally, if
necessary.
Objectives of an inspection programme
Continuous inspection is needed e.g. to have a clear insight into the changes of the
plant. Take for instance, operational load conditions, such as temperature or pressure
fluctuations. It has to be found out if these fluctuations happen according to specification, and
if this is not the case to define periodic inspections, to follow the developments. Inspection is
needed to make sure that all effects were considered at design and to be able to stop or reduce
the altering process of the components and the NPP altogether in time.
Thus it is necessary regularly to:
x
x
x
x
x
Cross-check the conceptual data with the actual data of the components;
Compare the condition of the plant with the documents underlying the licence;
Watch the behaviour of the plant (or components) if it is according to the specifications;
Evaluate the sources and effects of ageing;
Check if the safety goals are adhered to.
Objectives of different types of inspection programmes
An inspection manual helps inspectors to direct their work. Basic rules for inspection
are defined here. The manual defines the ways and means for inspection. It contains the
regular periodic inspections. Vital points concerning inspections include:
x A description of those who may take part in inspections (technical bodies, consultants,
experts);
x What is subject to inspection;
x The tasks and rules of the inspectors;
x The rights for entry and inspection;
x The ways and means for inspection and enforcement, including check lists, reference lists,
directives for realization and procedures.
The inspection programmes for components and systems are important tools.
Inspections and regular tests can validate not only the correct function of a component, but of
the system or even connected systems. Also service systems are important to inspect because
their operation is necessary for safety systems.
There are five types of inspection programmes: periodic functional tests, maintenance
and inspection, outage, shift inspections, and monitoring.
187
Usually the authorities view the maintenance programme as inferior to the periodic test
programme. But to be convinced that after the functional tests the component really may be
considered as operable for a defined period of time, it is also necessary to do regular
maintenance and inspection intensively.
To get reasonable and optimal inspection programmes we have to:
x Consider operational experiences of individual and other plants, mostly those of the same
kind;
x Check on regulations for NPPs and the conventional sector for relevant inspection periods;
x Set priorities with the goal to define those components that are most vital for the safe
operation of the plant;
x Consider the results of probabilistic safety analysis to check and optimise inspection
periods and change inspection methods to eliminate weak spots;
x Include into the lists and instructions the participation of experts;
x Stage the tests so that all vital parts are tested so that it becomes evident that the
components and complete trains of emergency systems work in the desired way (if
possible system functional tests);
x Consider the proposed periods and methods described by rules and standards;
x Discuss inspection methods;
x Set procedures that two complementary safety-related systems are never inspected at the
same time;
x Have instructions for ultrasonic or x-ray examination;
x Take the condition of plant into consideration in inspection planning;
x Optimise test frequency;
x Check the programme in regular intervals to collect experiences.
An expert should review also:
x The inspection manuals (with their general statements);
x Inspection instructions;
x Evaluation of inspection results.
The periodic test programme is part of the safety specifications of the plant.
Modification of these data are allowed only if permitted by the authorities.
Having the component-inspection-programmes as a basis and including other activities
as well, such as for plant modifications, the operator has to propose the outage programme to
the authorities and the consultants. These maybe add additional activities, if necessary and
approve the programme.
The operator must prove or confirm the following in written form, to get an official
approval for restart:
x Safety of the core (confirmed by neutron flux, heat transfer and accident radiation release
calculations for the new core);
x Inspections of the fuel elements must be positive (a fixed procedure, maybe enlarged
depending on findings, fuel rod defects and so on);
x No deviation of allowed conditions of the plant;
188
x
x
x
x
No knowledge of conditions endangering the safe power operation;
Reactor safety systems checked with participation of the consulting experts;
Positive termination of special inspections;
Documents revised according to the plant status.
Most of these points are subject to confirmation by the consultants many of whom will
have worked on such plant during the outage?
Inspections and tests in the first place give us the necessary certainty that all is well and
that there is no danger in starting the reactor up again. With this certainty backed by experts’
opinions, the authorities agree to a plant restart.
The programmes are the foundation for the inspections and tests and the results are
described in the protocols. If there are findings, the results are discussed during weekly outage
conferences with participation of operator, experts and authorities, and measures as well as
resulting consequences for restart are agreed upon.
Different types of inspection
Regular, basic inspection, depending on traditional tools can be divided into the on-site
part (direct inspections), and the office-part (indirect inspection, desk-checks). The
supervisory authorities should be on site with a manpower of about 1 man-day per week per
plant. The on site inspection has several important functions: to show the presence of the
authorities; to maintain communication, learn about the licensee’s plans and discuss formal
matters such as the classification of plant modifications.
Regularly checks should include for instance:
x Implementation of the radiation protection ordinance: labelling of radioactive substances,
marking of restricted areas, activity- and dose measurements and cleanliness;
x Access control;
x Presence of operational and guard personnel;
x Fire prevention, rescue and escape routes;
x Correct implementation of rules for disconnection of components or systems, document
handling and upgrading, clearance of work;
x Progress of approved modifications of the NPP;
x Systems’ condition, on the spot as far as possible during operation;
x Systems’ inspections being carried out by use of surveillance testing and maintenance
programmes;
x Implementation of quality assurance;
x Professionalism of personnel.
Regular, basic inspection includes also a visit to the control room, a close look into the
manuals and the discussion with the shift on the condition of the plant, the clearances for
work currently in progress, anomalous events and so on.
Besides on site inspection the authorities get their information through operator’s
regular reports. In the licences for operation there is a requirement obliging the operator to
provide such reports at regular intervals.
189
Daily reports can be handed over by telefax. They should contain basic information
about the plant, such as:
x
x
x
x
x
Notifiable events (according to the notification ordinance);
Excess of radioactivity limits of releases to air and water (as defined in the licence);
Peculiarities concerning the NPP and its operation (such as stretch out, variable power);
Concentrations of radioactivity in the cooling systems;
Leakage inside steam generator.
Remote supervision system (KFÜ): The continuous operation of the NPP and most of all the
release of radioactive matter from the discharge stack or water cannot be supervised
continuously (at any time it is desired) in the above described ways by visits on the plant,
daily report sheets and semi-annual or annual reports.
Therefore an automated system had to be developed that can do this job, the KFÜ With
this system operation variables as well as releases into air and water and immersions can be
checked and recorded. Not only the NPPs on state territory can be supervised thus but also
those of foreign nations, using monitors and sampling stations situated on our side of the
national border.
The KFÜ is an important instrument to check if vital parameters inside and outside the
NPP are within allowed ranges and renders also important post-accident data, i.e. it can help
to provide a forecast of the distribution of radioactivity in the environment.
But, of course, it can do a lot more. So, for instance, it automatically sets off an alarm,
if given limits of a combination of different interlocked parameters is exceeded. This alarm
reaches the appropriate official by a use of a paging system and they have to verify and relay
the message to the officials responsible for the plant.
Intensified inspections: Besides the regular basic inspection activities it is advisable to
establish intensified inspections, with the objective to inspect certain topics or procedures in
depth. These activities can be induced at individual or other NPPs or can be the result of a
safety analysis review or be a part of it. The definition of such subjects are made on agreement
by authorities, operator and consultants. In addition to the authorities` intensified on site
inspections the operator usually has to hand over a number of appropriate documents for
examination and evaluation. The results of the intensified inspections usually are documented
internally and occasionally results are also given to all participants, even to the public.
Examples of such intensified inspection are:
x
x
x
x
x
x
x
x
x
190
Investigation of an event;
Clearance and transport of radioactive material;
Fire prevention and protection;
Safety of cranes and transport;
Safety-relevant gate valves (improvement of reliability);
Industrial safety;
Austenitic tubes in the primary circuit (material, welds, water conditions, corrosion);
Safe use of gases;
Integrity aspects at components with high energy content in the turbine hall;
x Embrittlement of the reactor pressure vessel.
Outage inspection: The annual outage is characterized by the following three groups of
activities:
x Exchange of fuel assemblies;
x Recurrent inspections and extraordinary inspections which can only be performed when
the NPP is shut down;
x Modifications, backfitting and maintenance.
Because of the sheer number of these activities the number of supervisory tasks
increase during this state of operation. Inspection on the site is intensified correspondingly, on
the side of the authorities and most of all on the side of the consultants. Additionally, during a
plant outage a number of activities are performed simultaneously, by a large number of
outside personnel. Besides checking the work itself it is necessary to ensure compliance with
safety related minimum requirements (minimum number of safety systems) for outage
operation and the safety of the personnel. This kind of inspection demands a close coordination of the parties concerned. The different departments of operator, consultant and
authorities must stay in close consultation to treat non-conformities appropriately, avoid
undue delay, avoid disregard of requirements for quality assurance as well as work safety.
Unannounced inspections: Usually inspections are planned and their main programmes
known to the operator. Getting ahead with some inspection subject, it is often of advantage to
have the responsible operator’s specialists at hand. That might not be the case for an
unannounced inspection.
Unannounced inspection is to be considered, if there is:
x Distrust (fear that evidence of some kind be removed);
x Animosities (absence of mutual understanding and respect between the regulatory body
and the operating organization);
x A low safety culture;
x The need to establish proof of some kind (irregularities may be found easier if the operator
is unwarned and unprepared).
However, even if a positive atmosphere between authorities and operator exists, and
even if there exists a good safety culture, unannounced inspections should happen at NPPs,
from time to time, as most ordinary industrial or trade supervisions happen unannounced,
where work safety requirements and requirements of the licence are to be checked.
Reporting of results
Reporting inside the NPP: During safety relevant periodic tests and maintenance, protocols
are created. The protocols shall allow the evaluation of the inspection. For this there is a form
in the inspection manual that has to be filled in appropriately.
191
In principle there are four results possible at the inspections:
x Within specification (design data);
x Within specification and corrective actions during inspection;
x Not within specification, deviation tolerated, an additional inspection after some time may
be necessary, additional measures may be necessary;
x Not within specification, additional inspection necessary (after corrective measure).
There is a part in the form for explanations, e.g.
x
x
x
x
Deviations from specifications;
Findings, including those of non-destructive techniques;
Implications for the systems;
Implications for the procedures (instructions, lists, programmes).
The evaluation of the safety relevance has to be done without delay.
The results of the inspections after this first evaluation are then evaluated in detail by
the departments of the operating organization. They must start the appropriate measures if
there have been any findings. The applicable procedure for planning and carrying out the
repair is described in the operation manual: in the maintenance rule. All necessary steps till
repair or replacement must be documented in a comprehensible way.
Also, the findings must be checked concerning the passing on of information:
x To the other NPPs to check for applicability;
x To the manufacturer for feedback, to define preventive measures for the same or other
installations for the future; and/or
x To the authorities concerning safety relevance according to regulations. For the
identification of root causes experts may have to be consulted, those consulted by the
authorities may have to be informed. Possible generic characters of the causes have to be
considered. The need for modifications of inspection programmes or routines
(instructions) have to be evaluated.
A very important way of evaluating findings and the appropriate measures are direct
personal contacts and regular meetings such as the daily morning meetings. At these meetings
all heads of departments take part, and amongst others the work request/work-orders are
discussed and signed by the management.
Periodic reports: The operator has to submit annually the report on periodic tests. The report
contains the operator’s view concerning:
x
x
x
x
192
Basis for inspections (inspection programme);
Evaluation on completeness, timeliness and correctness;
Irregularities, findings, measures;
Statistics of findings, concerning measures and departments concerned, common cause
evaluation.
opinion concerning the safety-relevance of the findings, such as indications for ageing of
components.
Outage report on periodic inspections: Towards the end of the refuelling outage the operator
presents to the authorities and consultants at a special meeting those inspections that show
more than just a tick at “compliance: yes”, in the protocol form. All these findings can be
found later also in the annual report on periodic inspections. But at this point it’s necessary to
have the latest information, because a decision has to be made if the plant status is acceptable
for restart.
Notification on non-compliance: If safety relevant events or conditions take place or are found
during inspections, they must be passed on to the authorities according to Regulations for the
Notification of Incidents (AtSMV). The licence for operation and the appropriate rule for
notification, defines the:
x The allowed time lag;
x The means (telephones, telefax, forms) for notification;
x That in certain defined cases no corrective action or restart without consultation of the
experts is allowed.
It may be necessary for the notification forms to be supplemented by additional reports,
clarifying the causes and resulting measures.
Results of monitoring: Certain inspection measures, like monitoring, are imposed upon the
operator by requirements related to a licence or accompanying control. The operator is then
required to state the results of these measures, for instance the results of vibration and
temperature measurements concerning ageing, in written reports to which experts can state
their opinions.
Other reports: Furthermore, reports reach the authorities about the outage results (summary)
and on subjects concerning the periodic safety review, events in other plants, and on subjects
of intensified inspection.
Other means for communicating findings to the authorities are: A daily report on plant
performance is sent to the authorities by telefax, including results for emission of radioactive
effluents. This report is due at the authorities in the morning of the following day. The daily
report contains events also, which will be later notified according to the notification ordinance
to the authorities as well as those events which have some importance but have no effect on
plant performance.
In Germany an event as well as a finding at inspections, must be evaluated according to
the AtSMV, as mentioned before. Only if the event has to be passed on to the authorities
according to this regulation, it also has to be evaluated according to INES (international
nuclear event scale) If there is no necessity for information given according to AtSMV, then it
is equivalent to “out of scale” according to INES. For instance, if the finding is severe enough
to lead to a failure in safety functions, if a common mode failure was detected or if there are
deficiencies in the safety culture, a higher level than 0 is to be expected. It must be stated
however, that the INES is primarily a communication tool and not a means for event analysis
and feedback.
193
One additional means of communicating findings to the authorities is the telephone. To
ensure this direct communication it’s best to have good relationships with the operator, a
climate of mutual trust and not mutual suspicion.
Reports on expert level: The consulting experts (TÜV) have an information system (TÜVIS)
by which important events are communicated. This instrument is important for information
processing to the authorities, most of all in cases that concern conventional plants, as the TÜV
is historically a body to check the integrity of pressure vessels and the operability of the
pressure relief systems and carries out respective tests there, too.
Processing of information at the authorities: Depending on the seriousness of an event a short
note must be prepared for the minister, containing details of the state of affairs, safety
relevance, and resulting measures. Comparisons to the earlier events are made and the
categorisation is discussed. Information that could be important to the public is passed to the
federal ministry quickly, by telefax or telephone.
The notification sheets of the event reach also the consulting experts who have to give
their opinion to the authorities as soon as possible within two weeks. The forms are passed on
to the federal ministry (BMU), the federal office for radiation protection (BfS) and the GRS,
an expert organization evaluating the events and preparing quarterly and annual reports on
events.
While the operators give information to the public, if INES level 1 or higher is
concerned, or the event notification classification (AtSMV) is S or E (the two higher levels,
the lower one being N), the ministries pass the news of such events immediately on to the
parliament bodies and the federal ministry for environment and reactor safety.
Enforcement
In cases where the inspection results in findings that, after thorough investigation need
action, the authorities can order remedies. This is also founded on the Atomic Energy Act: To
eliminate unlawful or dangerous plant conditions, the supervisory authorities can order, that a
condition be abolished.
By this law they can order in particular, that:
x Protective measures be taken and specification of these measures;
x Radioactive materials be stored or put in safe custody in a place specified by the authority;
x Operation of the plant be temporarily stopped for repair.
The regulatory authorities have a wide scope for discretion in the practical
implementation of state supervision. There are legal restrictions to the scope of discretionary
authority. The legal action must be appropriate and not arbitrary. The supervisory body has a
wide range of possible measures, the gravest of which is the temporary or even the final shut
down of the plant. Before the supervisory authority orders such a stringent measure they have
to check if the determined illegal or dangerous state of the plant can be relieved sufficiently
with less severe measures. Furthermore the urgency of the measure must be determined and
the probability for some initiating incident that could result in a dangerous condition.
194
4.2.2.3. Examples of detailed inspections
General
This lecture will deal with the inspection types performed by the regulatory body.
There are three types of inspection: routine inspection, inspection of modification and a nonroutine inspection. All the activities of the regulatory body will be demonstrated by specific
examples. The activities of the utility operator will be considered as far as it is necessary to
understand performance of inspection by the regulatory body. The examples given here are:
the periodic non-destructive examination of primary-system components, the modification of
the volumetric control system, a leakage of a steam generator tube, respectively.
As the examples given here are taken from the work of the German regulatory body,
the nuclear standards taken into consideration are several standards of the KTA.
The preparation for the inspection is in case of every inspection described here the
same. Additional to a technical education and experiences in these specific inspections one
has to make oneself familiar with the components to be inspected, with special problems that
have to be taken into account and with the inspection method itself. The next step is to decide
what can be done by oneself, what has to be done in team work and when the help of an
external expert is needed.
In the examples given here the inspections are divided in two parts. The first and
generally the main part of the inspection are the documents for approval, specifications and
other papers submitted by the utility operator. The second part is the inspection in the power
plant. In the most cases, the inspection is performed by the utility operator and supervised by
the regulatory body.
Every inspection terminates with an inspection report. This report contains a brief
description of the problem and the inspection method, the result of the inspection, and the
effect on the state of safety.
Example of routine inspection: Periodic non-destructive examination of primary system
components
The programme of the periodic non-destructive examination of primary-system
components is determined by nuclear standard KTA 3201.4 “Components of the primarysystem of light water reactors, Part 4: In-service inspection and operational monitoring”. The
utility operator provides an approved list of inspection by observance of the nuclear standard.
For every annual in-service inspection the utility operator presents a test sequence plan
containing those non-destructive examinations that will be performed in the current year. In
the course of four years all items of the list of inspection have to be examined. This is
controlled by the regulatory body as well as the completeness in the performance of all the
planned inspections.
All non-destructive methods used must be qualified either by the regulatory body or by
an authorized expert. The inspections have to be performed according to approved
examination instructions and approved specifications.
195
The minimum qualification needed is a basic knowledge in non-destructive testing.
The member of the regulatory body must be familiar with the possibilities and limits of the
different methods of non-destructive testing.
If no external expert is consulted the member of the regulatory body additionally needs
a well-grounded knowledge in one or more methods of non-destructive testing. The special
kind of knowledge needed depends on the inspection to be performed. Usually the special
education needed is Level 2 according to the European Standard EN 473. In case of
mechanised non-destructive examinations the staff of the regulatory body have taken part in
special training concerning the procedure and the evaluation of the used mechanised nondestructive examination. If none of the regulatory body has this qualifications the help of an
expert is needed.
If the inspection is performed by the utility operator and supervised by the regulatory
body the results are evaluated by both the utility operator and the regulatory body. The results
are reported by the utility operator and witnessed by the regulatory body. If the regulatory
body performs his own inspection, he makes his own evaluation and test-report.
The examination is finished as soon as the regulatory body agrees that the examination
performed matches the test sequence plan and the test specifications. If there are any adverse
indications the utility operator has to ensure that the flaw indicated results in no lack of safety.
This is inspected and evaluated by the regulatory body.
The approval to put the power plant back in service is given if the whole in-service
inspection is finished with a positive result. Otherwise the regulatory body can enforce
additional repair works by refusing the approval to put the power plant in service.
Example of modification: Modification of the volumetric control system
For this example the utility operator presented an application for modification titled:
“Optimized supports for the volumetric control system”.
Optimization of the piping support meant exchanging the piping supports of the
volumetric control system and, where necessary, changing the laying of the pipe system to
minimise loads on both piping supports and pipes. Changing the laying of the pipe system
included the replacement of parts of the pipes. Due to the conditions given by the building, it
was only possible to construct the piping supports to stand loads of a jet caused by a crack
smaller than 0.1 times the cross-section of the pipe. This means that a rupture of the pipes of
the volumetric control system had to be precluded.
The first step for the inspection is the review of the documents for approval of the
modified system. This means that the regulatory body inspected the construction, the
calculations, the quality of the material and the quality of fabrication. If necessary the
regulatory body corrected the documents and finally approved them.
The fabrication of all components had to be performed by observance of the approved
documents. The in-process inspections by the regulatory body were documented on the
certificate.
196
The rupture preclusion is based on the basic-safety concept. All new components were
produced by with regard to all regulations of this concept. It had to be proved that the
manufacturing of the remaining components met the principle of the basic safety concept. By
use of the certificates the quality of materials and welds were evaluated with regard to the
admissibility and the completeness of all tests. All documents were reviewed by the regulatory
body.
The calculations presented concerning stress analysis, fatigue analysis and fracture
mechanics were improved by further calculations performed by the regulatory body. The
monitoring programme and the in-service inspection programme were reviewed as well. With
regard to the quality of the components, stress analysis, fatigue analysis, fracture mechanics,
monitoring programme and in-service inspection programme the regulatory body decided
whether the requirements for rupture preclusion were met. If necessary the regulatory body
extended the monitoring programme or the in-service inspection programme. In the worst case
components that didn’t abide by the principle of the basic-safety concept had to be exchanged
or the concept of the modification had to be revised. The modification can only be performed
if the regulatory body agrees with whole concept. The agreement bases on the report of the
regulatory body including the result of the inspection of the documents.
The modifications are performed by the utility operator with regard to the approved
documents. If required, the modifications will be inspected by the regulatory body. These inprocess inspections are documented in the certificate.
After the modification is finished an as-built evaluation has to be performed by the
utility operator and the regulatory body. After the as-built evaluation the regulatory body does
his final report. Only if this report has a positive result, he will give the permission to put the
modified system in service.
Example of non-routine inspection: Leakage of a steam generator tube
The example given here describes a leakage of a steam generator tube. About three
months passed from the first detecting of the leak to the repair work.
The leakage was detected by monitoring the contamination in a secondary loop. The
contamination rose from the ground level 2˜103 Bq/m3 to 6˜103 Bq/m3. When the
contamination had risen to 1.4˜103 Bq/m3 the clue of a leakage in a steam generator tube could
be assured and was reported to the regulatory body. The event was classified as category N
(events with little safety significance which have to be reported to the regulatory body). The
leakage flow was calculated to a value between 50 and 100 g/h. The limit to take the power
plant out of service was set at 2 kg/h.
In their first inspection report the regulatory body consented to the classification of the
event. The leak size was calculated by the amount of the leakage flow. Due to this leak size
the regulatory body calculated the safety clearance to critical flaws by the use of fracture
mechanics. These calculations showed that the leak area was 10-6 times as big as the crosssectional area of a steam generator tube and that cracks with half the size of a critical crack
would have flow rates of more than 300 kg/h. The regulatory body found no reason to take the
power plant out of service immediately. The inspection report concluded with the agreement
to keep the power plant running during the regulation of the repair work until the end of
preparations for the repair work.
197
The utility operator presented a detailed report. It said that the repair work was to be
performed during the next in-service inspection by closing the leaky tube with plugs at each
end of the tube. The regulatory body compiled a further statement. They assessed in detail the
radiological consequences, the results of previous non-destructive testing, possible reasons for
the leakage, the fracture mechanic results, the criteria to take the power plant out of service
and the planned proceedings such as the location of the damaged tube and the repair work.
The regulatory body agreed with the utility operator’s programme but they demanded
documents for approval for both the procedure to locate the damaged tube and the repair
work. All those documents for approval were reviewed by the regulatory body.
When the leak rate rose to nearly 2 kg/h the utility operator applied for a shift of the
limit to take the power plant out of service. They suggested 20 kg/h. After performing some
fracture mechanic and hydrodynamic calculations the regulatory body agreed to fix the limit to
take the power plant out of service to a leak rate d 8 kg/h.
When the leak rate reached a value of 2.4 kg/h the utility operator decided to take the
power plant out of service in order to repair the damaged tube.
The location of the damaged tube and the repair work were performed in the presence
of the regulatory body.
The first step to locate the leakage was a water level test. Video cameras were installed
in both primary vaporisation drums of the steam generator. The secondary side of the steam
generator was filled with water and pressurised. It was possible to locate the leak in the cold
leg of an unplugged tube. By lowering the water level step by step the leakage was located
directly above the tube sheet. No further test was performed to locate the leakage. This
difference to the approved documents was reconciled with the regulatory body.
The next step was to fix a test schedule for the eddy current test of the tubes. In
agreement with the regulatory body the utility operator planned to inspect about 37 tubes in
the surrounding of the defect tube and about 33 tubes in areas around tubes that were known
from former in-service inspection to show indications due to reduced wall thickness.
The defective tube was inspected first. The eddy current test indicated two flaws each
about 6 mm long and 3 mm wide. Two other tubes in the immediate neighbourhood of the
defect tube showed indications due to a reduced wall thickness of more than 50%. By opening
an inspection hole on the secondary side of the steam generator, the area surrounding the
defective tube was inspected using a videoscope. A lost part was found directly between the
defect tube and the two tubes with indications. This particle was identified as a semicircular
shaped strip of sheet with a diameter of about 30 mm and a thickness of about 3 mm. The
particle was located at an area with material erosion due to contact between the leaking tube
and the particle.
After the reason for the damage had been found, it was decided to reduce the
inspection programme to the area surrounding the damaged tubes. This was done in agreement
with the regulatory body. No further indications were detected.
It was decided to plug the damaged tube and the tubes with a reduced wall thickness
>50%. The repair work was performed in the presence of the regulatory body.
198
From the location of the damaged tube to the plugging of the three tubes the whole
repair work took less than 48 hours. This was possible because the approved documents for
any eventuality had been prepared and because the regulatory body was present during the
whole procedure. All steps from the schedule for repair which had proved to be unnecessary
could only be cancelled in agreement with the regulatory body.
In his final report the regulatory body described the whole procedure and explained
decisions.
4.2.3. Inspection practices in the United Kingdom
4.2.3.1. Background
Under UK law all employers must ensure that their workers and the public are kept
safe. Nuclear plant can only be put on a site if the Health and Safety Executive (HSE) has
granted the operator a nuclear site licence. HSE’s Nuclear Safety Directorate (NSD) issues
these licences and inspects licensed plant through its operational arm, the Nuclear Installations
Inspectorate (NSD). This note is mainly about NSD’s work.
Licences are only issued to companies or public bodies that are actually in charge of
day-to-day nuclear operations in a clearly defined area of a site. Nuclear licences do not have
any time limit, although they tend to be reissued every five to ten years because of
organizational or plant changes. Each licensed site has an identified site inspector based at
NSD headquarters. Site inspectors spend 35% of their time carrying out their inspections on
site.
Unlike countries that set very detailed technical laws, UK health and safety law sets
goals and calls for licensees to make arrangements for meeting their legal duties. This calls for
the regulator to be able to judge those arrangements and requires a relatively skilled approach
to inspections. Various types are used, ranging from routine inspections by a nominated site
inspector to large, multi-disciplinary team inspections carried out by as many as twelve
inspectors that focus on a specific theme.
UK nuclear regulation aims to ensure that licensees are meeting their statutory
obligations, have sufficient resources to meet their responsibilities for health and safety, and
that their proposals and actions keep risks as low as reasonably practicable.
This note outlines the approach adopted in the UK for enforcing health and safety law
through the inspections carried out where the main aim of the law is not to be prescriptive. It
outlines some of the several types of inspection used to meet different objectives throughout
the many phases of plant life. NSD’s inspection programmes are discussed. Although most of
the examples used arise from nuclear power plant inspection, the licences issued to and the
techniques used by the UK regulators apply equally to fuel manufacturing and reprocessing
plant.
Unlike most UK industries, prospective nuclear licensees must show that their plant
will be safe before a licence will be issued. They must also show that they can manage the site
and deal with any liabilities remaining when the site is finally shut down. Without a nuclear
site licence they cannot operate. This means that new applicants need to hold early talks with
NSD, to ensure that effort is not wasted on both sides.
199
As elsewhere, UK safety law holds licensees responsible for safety. The NSD sets
safety goals and the aim is for licensees to set out how they will meet them. NSD will see that
these are adequate and are met by the licensees, and will take enforcement action to ensure
this where necessary. This policy ensures that the licensees accept that responsibility, whilst
allowing them to find their own ways of complying with the law.
To retain independence, a balance has to be struck in how far NSD should be involved
in the design and assessment process. This calls for careful choice of the key safety issues and
what to examine. Licensees must carry out their own detailed assessment and audit of their
designs from the safety point of view. NSD will satisfy itself that licensees have the
organization for this and that they are carrying out their functions effectively. They do this
through both planned and reactive inspections.
NSD inspectors have the power to ban an unsafe activity or call for improvements, but
can only have fines imposed through the legal courts.
4.2.3.2. Types of inspection
The UK system allows for several classes of inspection that follow the life-cycle of a
plant from its design, through construction to licensing and operation and in-service
modification, to eventual decommissioning and delicensing.
Design and construction
An NSD inspector is allocated to the site from the start of construction through to
decommissioning and eventual delicensing. This means that frequent inspections and
discussions take place, key tests are witnessed, and the test reports are checked. Specialist
inspectors help to assess safety cases and often visit the site and key manufacturers’ works.
They use their expertise to monitor the construction of important items of plant and witness
tests and quality assurance procedures. It has been found that close monitoring by NSD while
plant is being built will ensure that the licensee achieves a design that meets the safety
requirements.
Routine site inspection
Planned inspection: To check for compliance with the licence conditions and to gain an
overall view of site activities, nominated site inspectors spend around 35% of their time on
their site. They may spend longer if a particular aspect needs attention. Their inspection plan
aims for most of their work to be proactive rather than reactive. It is based upon ensuring that
the licence and other significant health and safety legislation are being complied with.
Periodic shutdown: Licence conditions require that licensees make arrangements for carrying
out plant maintenance, and these arrangements call for operations to be shut down periodically
so that major overhaul and inspection can be carried out of significant safety-related items. In
the case of plant such as reactors, such shutdowns must be carried out every two or three
years, and NSD’s formal consent is needed before they are allowed to restart the plant.
Much work is carried out during this period, and NSD meets with licensees before the
work to agree the proposals and, on completion, to discuss their findings before giving its
200
consent. Before this is given, several specialist assessment inspectors look at the licensee’s
results and visit site to see for themselves the records of the inspections and some of the work.
Before allowing plant to start up after a shutdown, the licensee must report to and
satisfy NSD about:
x Outage maintenance and inspection results;
x Plant performance since the last periodic shutdown; and
x The adequacy of the plant to perform safely until the next periodic shutdown.
Project inspection: Frequently throughout the life of a plant licensees call for repairs or
modifications to be made in the interests of safety or to enhance production, many of which
can affect nuclear safety if they are not carried out properly. The more significant ones require
NSD’s agreement before major works can be carried out and before the plant can be operated
with the repair or modification. Such activities can call for specialist inspectors to assess the
proposals and any test and quality assurance records. They may also visit site or
manufacturers’ factories to carry out their own inspections to satisfy themselves about the
safety of the work.
Reactive inspection
Preliminary investigation: Although site inspectors are not resident on the site, licensees are
required to inform NSD about a wide range of accidents and lesser events that occur on their
sites. Many of these need to be followed up by the site inspector, either on a special visit, if
serious enough, or during the next routine visit.
NSD inspectors have the power to make people report to them about events unless
those people are responsible for an offence. If so, an investigation must follow.
Regulatory investigation: If a serious event has caused NSD to believe that regulatory action
should investigate whether the law has been broken and to collect samples, statements from
witnesses, photographs and other documentary evidence that can be presented in a court of
law. Such investigations usually involve two inspectors, one of whom may or may not be the
site inspector.
Emergency arrangements: Licence conditions call for arrangements to be made to deal with
any accident that could lead to radioactivity being released on or off the site. An emergency
plan must be prepared and submitted to NSD for approval for each site. This outlines the
organization and procedures to be used on site and with local emergency services to protect
the general public. It sets out provisions for on-site and off-site radiation monitoring, and for
the chain of communication.
Level 1 emergency exercises: Licensees are required to demonstrate their emergency plan to
NSD’s satisfaction. The sites each prepare an emergency exercise every year and many of
these, work with the local emergency services to show they can manage a major accident if
one happened. A team of up to five or six NSD inspectors observes these exercises and
comments on any shortfall: NSD can call for all or part of an exercise to be repeated.
Level 2 and 3 emergency exercises: To show that national emergency arrangements will also
work, a smaller number of Level 2 and 3 exercises are also required. Several Level 2 exercises
201
are held each year; these involve simulations of major interaction between licensees and
government agencies for an event that extends to the local community. Only one Level 3
exercise is carried out each year for the whole UK, and for this the full national arrangement is
tested. Senior NSD staff have a significant role in both Level 2 and Level 3 exercises. Around
15 to 20 NSD staff are used as team members and up to three or four act as observers. The
results of these exercises are used to improve responses by all organizations involved in them.
Enhanced team inspections
Many safety audits or team inspections are also carried out each year on particular
plants or on a safety topic. For these, a multi-disciplinary group of inspectors visits one or
more sites and reports the findings to the licensee, so that improvements can be made, where
appropriate.
Large team inspections: Over the years, NSD has found it helpful to adopt a flexible approach
to inspection, occasionally using teams of ten or more inspectors and sometimes including in
those teams inspectors from other regulatory functions, such as environment, conventional
health and safety, and fire and explosives.
The first main inspections of this type concentrated on the management of safety
systems including the work permit system. Other important inspections have included those
that NSD used to satisfy itself that during the UK deregulation of the electricity supply
industry, companies entering privatisation could adequately met nuclear regulatory
requirements. This inspection extended to headquarters’ documentation and management
systems, site implementation plans and even detailed examination of proposed site boundaries
and joint working arrangements where sites that had once contained two magnox reactors and
two advance gas-cooled reactors, operated by a state-owned company separated into two
privately-owned companies. The whole inspection and audit process involved every NPP site
inspector plus a large team of other inspectors over several months (and involved the Chief
Inspector answer questions before a select committee of the UK parliament) preparing for the
changeover.
Another high profile team inspection involved the investigation of management of
safety problems at the Dounreay Nuclear Establishment following an event when power
supplies to the site were disrupted by a contractor working with earth moving equipment on
the site. The inspection team of twelve inspectors lasted three weeks and included one of
NSDs deputy chief inspectors.
Again, the chief inspector was asked questions by a select committee of the parliament.
The subsequent report, published on the Internet, contained 145 recommendations and
severely criticised the amount of work delegated to contractors on the site.
Targeted team inspections: Several team inspections are carried out each year that involve
teams of two to six inspectors visiting a site or other establishment run by a licensee for two to
five days to look into a particular safety issue, such as:
x Control and supervision of work;
x Radioactive waste management;
202
x
x
x
x
x
x
x
x
x
x
x
x
Maintenance arrangements;
Company reorganization;
New licence application;
Headquarters functions;
Safety case production;
Management of safety;
Control of contractors;
Licence compliance;
Plant modifications;
Quality assurance;
Event reporting; or
Staff changes.
The choice of what to inspect may be decided by NSD policy or by the site inspector’s
need to look more closely at a potential weakness on the site or at a licensee’s headquarters. A
particular example of an extended team inspection occurred when Sizewell B was set to work.
Six NSD inspectors, plus two American inspectors from NRC, followed commissioning over
several weeks.
4.2.3.3. Inspection programme
General
It is neither possible nor necessary for each site inspector to monitor everything on
every inspection. The best that can be achieved is to sample what goes on. It is too easy only
to follow up events, rather than to be proactive. It is also necessary to ensure that plants with
more problems get more attention than those with fewer problems. Use of a planned
inspection programme that fits the plant helps to avoid only following up site events, which
may then lead to a biased view of the safety performance of the plant.
In the UK, site inspectors are generally nominated for just one site, but they support
other sites as required, so some of their 35% of time on site may be spent on a site that is not
their own. As a health and safety regulator, they focus their inspections on licensees’ legal
duties, but may use their results to persuade operators to keep improving safety standards.
Site inspection programme
The site inspection programme is developed with a view to the significance of the risks
posed by the plant or particular operations within it. These risks can vary over time: new plant
being put into service may bring higher risk, so may need to be monitored closely until it is
shown to be working satisfactorily. Alternatively, plant may break down or become less safe,
so may need increased attention from the operator and the regulator.
To draw up the programme, it is helpful to identify the main risks on the plant and rank
them in order. These risks may not all be technical: some may relate to public opinion.
Inspectors must target their inspection on real issues and try to work on what they know to be
a real risk. They use their programme as a plan for guidance, rather than a checklist, and can
change it if other work needs to take priority.
203
The aim is to target plans on higher risk operations or plants and to have a set of issues
to consider for each. Some of the issues may relate to compliance with the law, others to
resources or even management attitude. The aim is for the plan to cover one to three years, yet
to give confidence that the operator is behaving safely at all times.
An example of the sort of operations included for a nuclear power plant are:
x
x
x
x
x
x
Essential power supplies;
Pressure circuit integrity;
Reactor control systems;
Post-shutdown cooling;
Fuel route systems; and
Waste management.
The issues to assess for these operations include:
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
Quality assurance and records;
Fault identification and control;
Accident and event statistics;
Management and control of:
Maintenance and testing;
Radioactive waste;
Modifications;
Safety cases;
Operations;
Worker radiation doses;
Operating instructions;
Licence compliance;
Radiation protection;
Staff competence;
Staff training; and
Work planning.
Other topics considered separately from the operations are:
x
x
x
x
x
x
x
Management of contractors;
Emergency preparedness;
Other legal requirements;
Non-nuclear safety;
Site management;
Work planning; and
Safety culture.
The plan allows for about 20% of a site inspector’s time to be spent on reactive work,
following up events and unplanned problems.
204
Team inspection programme
Emergency exercise programme: Each site must carry out a Level 1 exercise every year and a
Level 2 or 3 exercise typically every three to four years. The dates for these exercises are
planned centrally by NSD and agreed with the licensees on a rolling programme.
Targeted inspection programme: Each year, the performance of each site is reviewed and
ranked against the others, where possible. Site inspectors’ and line managers’ reports help
with this. NSD’s senior managers review these rankings, together with any requests from site
inspectors for specific assistance. In addition, they consider the aims of the organization:
recently, there have been several reorganizations of the industry that have led to greater public
interest. As a result, additional team inspections have been run to assure NSD that the
organizations can do what they say they will, and that they manage the changes they are
making without reducing safety standards.
Overall, the aim has been to provide about ten or twelve such inspections each year.
With a major change, such as relicensing a reorganized operator, the programme of
inspections may run over two to three years, until NSD is satisfied that the new organization is
working well.
4.2.3.4. Reporting results
To obtain information for planning programmes, a report is written for each inspection.
Summaries of routine inspections remain working documents, confidential to NSD, but the
main aim of a team inspection is to produce a report that will be used to gain improvement
from the licensee: they receive a copy.
A quarterly summary report is produced for the public who live near the site, and NSD
publishes a nuclear safety newsletter that summarises NSD’s activities as a whole. This may
include the findings from some of the more significant team inspections. If there is a major
public interest or concern, a full public report may be published. Occasionally ministers call
for a report.
4.2.3.5. Inspection manual and objectives
Health and Safety law in the UK sets goals for industry to meet, and the Health and
Safety Executive’s (HSE) Nuclear Safety Directorate builds this into the licences it issues
through its Nuclear Installations Inspectorate (NSD). Licensees must meet a basic level of
safety and improve on this where possible.
Inspectors use two criteria to judge what to inspect: system risk and licence
compliance. Risk is used to decide what proportion of time should be devoted to the
inspection, and licence compliance is used to determine whether licensees are meeting their
legal duties.
Over the years NSD inspectors have set out the standards that they apply for their work
and told licensees about these. In fact, there has also been a need for NSD to inform the public
about its work. Its standards are set out for the public in two booklets published by HSE, “The
tolerability of risk from nuclear power stations” and “Safety assessment Principles for nuclear
205
installations (SAPs)”. In addition, the nuclear safety advisory committee gives advice on
appropriate standards for the industry.
For NSD staff, guidance has been given in a manual that outlines the purpose of each
condition of the nuclear site licence and how to check that a licensee is complying with them.
This guidance is available to licensees, except for a small amount dealing with enforcement
action. NSD staff are trained in the use of this guidance before they become site inspectors.
In addition to NSD’s inspection criteria, licence conditions call for operators to carry
out their own inspections, and it is part of NSD’s function to satisfy itself that adequate
standards are set for these inspections and appropriate records are kept of them.
Regulatory standards
The ALARP principle: UK safety law aims for risks to workers and the public from work
activities to be made as low as is reasonably practicable (ALARP). Risks are judged against
the costs of reducing them, and employers must remove or reduce a risk unless it would
clearly be unreasonable to do so.
Limits to prevent extreme risks must always be met, however much it costs. If the risk
can be reduced still further at reasonable cost, this must also be done. Even when the point is
reached where risks are so small they do not need to be made any lower, employers need to
check that the plant stays this safe. NSD checks that licensees meet both the relevant laws and
the ALARP principle.
Tolerability of risk: Accidents must be avoided, just as routine radiological exposures must.
There is a point where the chance of a major accident on a site would not be acceptable. If a
risk cannot be made low enough, plant cannot be built, and will not be licensed. Even when
the chance of serious accidents is small enough for a licence to be granted, licensees must still
take steps to prevent such faults or their consequences. More must be done to prevent faults
and to meet the ALARP principles for faults that could lead to the worst consequences. The
ideas behind such an approach are explained further in HSE’s publication “The Tolerability of
Risks from Nuclear Power Stations.”
Safety standards: This ALARP approach calls for licensees, plant designers and operators to
look closely at what can be done to reduce radiation exposures and risks of accidents.
Judgement is, of course, needed about what is reasonable, and licensees must set out what
they aim for. NSD monitors and questions decisions at every stage from the earliest design of
a plant through to its decommissioning. It expects licensees to draw up their own design safety
criteria and standards. NSD would look for standards to be based upon those of the IAEA, the
British Standards Institution or the American Society of Mechanical Engineers.
NSD’s inspection standards
HSE’s safety assessment principles: NSD has drawn up safety assessment principles for
nuclear installations (SAPs). These indicate to licensees and the public what standards HSE,
through NSD, expects to see in designs for new nuclear plant. These principles give NSD’s
views on what is achievable and set out the requirements for assessing the safety of designs.
They reflect HSE’s views about the tolerability of risk.
206
The basic safety limits given in SAPs relate to the ‘Not allowed’ region of the ALARP
figure, and basic safety objectives relate to the broadly acceptable region. SAPs also set
engineering design principles. NSD looks for defence in depth. This means that the design
must use many different complementary ways to minimise faults and prevent the escape of
hazardous material, such as fission products, from the site. For example, in a power reactor,
solid fuel helps by locking the fission products in the crystal lattice, while the fuel cladding,
the primary pressure vessel, and secondary containment, all help by stopping radioactive
materials escaping to the environment.
Many of the principles deal with the other engineered safeguards or protection systems
that help to preserve these physical barriers during faults or external hazards like fires, floods
or earthquakes. The aim is for the plant to be reliably and effectively shut down, cooled, and
controlled. NSD also looks at the effect that human error and operator behaviour might have
on managing the plant at such times.
Older UK plants were built before probabilistic safety assessment methods became
widely available, and the SAPs are intended for new plant designs, but many of the principles
deal with plant reliability and event probabilities for systems and components. NSD prefers
probabilistic safety assessment to be used, both for system reliability and for fault analysis
using, for example, fault and event trees. Licensees make such risk assessments as part of their
safety case. This gives a way of judging designs and revealing weaknesses.
Not enough is yet known about how structural and mechanical items behave and how
human operators will work in complex faults to be able to accept computed results. This
means that NSD does not think that a safety case can rely only on a probabilistic approach.
The case must show that sound engineering principles have been used in the design; the
probabilistic safety assessment confirms the overall robustness of the design concept.
Inspection guidance
Training: All NSD inspectors are university graduates, and most have at least ten years’
experience in industry. They cover a full range of engineering, scientific and human factors
expertise. Most, but not all, will have come from the nuclear industry. Before a new inspector
is given responsibility for a site, training is given. Upon joining NSD, they receive legal and
technical training that is related to the types of inspection practices used for the different
processes NSD regulates. Much of this training is appropriate to assessment inspectors as well
as site inspectors, but one of the courses is quite specific to preparing for site inspection. This
deals with the practical work of what to look at and how to conduct oneself on site. It includes
how to carry out an investigation and collect evidence where the law may have been broken.
Other courses concentrate more heavily on these aspects.
Inspector’s discretion: HSE places much emphasis on the fact that its inspectors should use
their powers with discretion and should act in the best interests of safety at all times. They
cannot be present to stop every unsafe act, so they must manage their time to achieve the best
overall result. This means that they must spend more time looking into some problems than
others, although this will change as time or circumstances change. They need to use their
experience to judge what to do.
Compliance guidance: NSD’s guidance has been developed from its own experience of
working with the UK system and from international best practices. The nuclear site licence
used in the UK has 35 so-called “conditions”, many of which call for licensees to ‘make
207
arrangements’ to do something. For example, part of Licence Condition 22 deals with plant
modifications:
“The licensee shall make and implement adequate arrangements to control any
modification or experiment carried out on any part of the existing plant or process which may
affect safety.”
NSD’s guidance then sets out what is looked for in those arrangements. For example,
they should deal with:
x Changes to plant or safety cases;
x Deliberately overriding safety devices that have not been provided with a facility or do not
have authorized operating or maintenance instructions for doing so;
x Concessions on materials that do not meet their quality specifications;
x Changes to plant operating rules, technical specifications or maintenance schedules;
x Tests or experiments that could affect nuclear safety by changing the state of plant;
x Any plant investigation that is not covered by operating or maintenance instructions.
This list is not exhaustive, but if inspectors are in doubt about something that has been
done without using the arrangements, they would judge whether what had been done seemed
to fall close to one of these ideas.
To avoid having too much detail on every piece of work that needs to be done on
nuclear plant, the licence condition goes on:
“The aforesaid arrangements shall provide for the classification of modifications or
experiments according to their safety significance. The arrangements shall where appropriate
divide the modification or experiment into stages. Where the Executive [HSE] so specifies the
licensee shall not commence nor thereafter proceed from one stage to the next of the
modification or experiment without the consent of the Executive. The arrangements shall
include a requirement for the provision of adequate documentation to justify the safety of the
proposed modification or experiment and shall where appropriate provide for the submission
of the documentation to the Executive.”
NSD seeks to ensure that licensees have three or four categories for judging
modifications. These should ask whether, if the work was inadequately conceived or
implemented, there could be:
x
x
x
x
Serious radiological hazard on or off the site;
Significant but less serious radiological hazard on or off the site;
Minor radiological hazard; or
No radiological hazard.
Clearly, the more significant the potential safety risk could be, the more control is
looked for by NSD. For category 1 modifications, NSD’s agreement will be sought before
work begins. Inspectors will also check the design and installation of modifications.
Inspectors use their experience and judgement to decide whether work in progress has been
placed in the right category.
208
It is very important to ensure that any proposal is independently peer reviewed, in case
some important nuclear safety issue is overlooked. This means that the regulator looks for a
system that controls all work. For example, a contractor who digs a hole in a road could strike
important power or cooling supplies, even though the work in hand appears not to have
anything to do with nuclear safety. The peer review will ensure that thought is given to such
problems by asking the appropriate questions.
More serious modifications should receive more detailed consideration by the
licensee’s organization and should call for more checks that:
x
x
x
x
Higher level of peer review and authorization are applied;
Higher quality standards apply to the work;
Designers, assessors, and plant installers are more qualified and experienced; and
Other plant or people are not put at more risk.
Quality assurance
General: High risk activities, such as nuclear power generation and aviation, can lead to
widespread contamination or many deaths, so they demand a higher than average level of
assurance that things will not go wrong. When there are many processes involved in carrying
out an activity all day, every day by people who must co-operate to do the work, it is essential
that systematic procedures are used. The most hazardous activities must receive the highest
levels of assurance. To ensure this, licensees must have a QA system.
The standards applied with such systems must be used throughout the whole process,
not just parts of it. QA is not effective if it is only used at the end of a task to determine what
can be accepted or needs to be rejected, so regulators need to be checking for signs that the
staff really do believe in the system. Honest self-assessment and wanting to keep improving
the safety system are important to its success.
Licence requirement: NSD’s nuclear site licences call for licensees to have quality assurance
arrangements covering all safety matters. Site inspectors look at the document or set of
documents, procedures and instructions covering:
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
Design;
Construction;
Manufacture;
Commissioning;
Operation; and
Decommissioning;
Management responsibilities structure and arrangements for:
Key safety-related organizations;
Interfaces with organizations;
Specific tasks;
Site staff;
Individuals’ responsibilities for specific tasks;
Types of controls to be applied and to what systems;
Controls applied to procurement specifications and items received;
Performance standards; and
What is to be done if standards are not achieved.
209
Standards: Licensees use national or internationally recognised QA standards such as IAEA
Safety Code 50-C-QA: 1988 and its associated guides, or ISO 9001 and British Standards for
specific projects or procurement activities.
Documentation: A common QA model used in UK has three levels:
x Upper level: Policy document, setting out organization and key responsibilities for
ensuring safety, quality and legal compliance;
x Middle level: Manuals describing department responsibilities and how work should be
done:
Procedures for work involving more than one department;
Post profiles setting out each individual’s authority, responsibility and accountability;
Interface agreements and lines of communication with related organizations, such as
company headquarters;
x Lower level: Specific quality plans and detailed work instructions.
Audit and review: Irrespective of the standards set out, there should be evidence that the
licensee checks periodically and systematically that they are being achieved. This is not just a
check that procedures are being followed; they may be wrong. Inexperienced inspectors often
discover evidence in licensees’ audit reports that procedures are not being followed and
assume that the quality will be wrong. This is not always so. The important thing to find out is
what a licensee does when procedures are not being followed:
x
x
x
x
Is an investigation carried out to see whether the written procedure needs to be changed?
If the procedure needs to be changed, is it amended quickly?
How are changes controlled?
If a procedure is changed, is training given in its application?
There should be evidence of a planned audit programme covering each year’s work and
looking forward a few years. All safety related systems and procedures should be covered in,
say, two to five years, depending on their safety significance.
There should be clear evidence that findings from licensees’ audits have been recorded
and made known to the person responsible for the activity — usually they sign to say that they
have seen the statement. There should be a system for progressing and clearing actions.
As well as the regular audits and progress of actions arising from them, there should be
evidence that senior managers review the results each year, and match them with other results
from the plant. They should be looking for signs that things may be going wrong in one
particular area of the plant, or with one type of activity, such as up-dating of instructions or
procedures, that may affect everything.
Using the results of these audits and reviews, regulatory inspectors should then use
their own observations and experience to choose how to focus attention on the more
significant items. They may, for example, see whether they agree with the findings by carrying
210
out their own sample inspection or audit. Or they may highlight some of the findings from
several audits and seek improvement on these.
Use of licensees’ results
Licensees’ inspection: Licensees carry out many inspections for their own or regulatory
reasons. Regulators use results from these to reduce their own need to repeat the work and to
ensure that the licensee has a responsible attitude to safety.
Maintenance inspections. Maintenance surveillance records are important because they show
whether plant condition is deteriorating. They need to be in a suitable form and stored in a
way that makes them easy to refer back to. They are a vital source of information for
regulators, who must have confidence that they give a true and complete story. It would be
very bad for safety if something had been examined and was on the point of failure, but the
person who carried out the inspection was not suitably qualified or experienced to do the job
properly, so recorded the wrong result.
It is also important that everything that should be inspected is listed and done. This
may be difficult where access is not possible or inspection would take a long time. Equally, it
can be difficult to be sure that everything that needs to be done at a site is being done. It is
usually helpful for regulators to check what the safety case says and to compare what is done
at other sites.
Quality audits. Regulators should inspect the results from the QA audits mentioned on the
previous page from time to time. They are usually one of two types, those that look deeply
into a very narrow part of an activity, or those that look less deeply across many related
activities. The deep audit checks every level of an activity, from the manager right down to the
point of work. It is appropriate for looking at a task carried out within a single department. An
example based on refuelling activity might check:
x
x
x
x
x
x
x
x
Who decides what fuel to load and to where?
Who authorizes it?
Who does it?
How is the fuel collected, checked and loaded into the reactor?
What controls avoid putting people at risk throughout?
What safety controls need to be operated or prevented from operating?
What records are kept of what has been done?
Is there anything about what is done that could be done better?
The broad inspection is appropriate where several departments may be involved or the
activity covers a longer time. Take, for example, the total fuel management cycle:
Who orders fuel?
How is it received, checked and stored on site?
How is the issue of fuel for refuelling controlled?
What checks are made that what is specified is right and that what has been done meets
the specification?
x How is the irradiated fuel managed?
x How are other waste materials managed?
x
x
x
x
211
x How are all the wastes disposed of from site (if appropriate — if not, is there sufficient
storage for the waste now and for the future?)
x Is there anything about what is done that could be done better?
The last question in each type of audit is aimed at ensuring that they are technical,
rather than procedural audits. It is relatively easy to judge whether people are doing what the
procedure says. (Often they are not until a few audits have highlighted the fact and changed
the procedure.) The more important question is whether anything can or should be done to
improve the chance of it being done more safely.
It can be seen that the deep slice tends to examine much more of the technical issues to
do with handling the fuel. The broad shallow slice covers more wide ranging issues that will
tend to show how the activities are managed.
Independence. It is vital to make safety and quality part of everybody’s work, rather than
something done by somebody else at the end of the job, but some parts need to be carried out
as independently as possible. This may mean that someone who needs to check that a
particular installation is complete is given the task of saying how much else needs to be done.
By changing their view of what they need to do, they may see something that the person who
thinks the job is finished will not have seen. It is sometimes helpful if checks are carried out
by people in a mutual support rôle. One checks another’s work this time, the other checks next
time. The quality is measured by the lack of error, and neither individual wants to let the other
down.
This is not appropriate for every activity; sometimes more than one check is needed.
The danger is that many people checking the same thing will not always add value to each
other’s work. They must each be responsible for and look at something different.
Conclusions. To be fully effective and to make licensees accept their responsibilities for
safety, rather than to make them meet particular regulatory requirements, NSD has developed
a system of inspection that relies upon using experienced staff who can judge for themselves
what is important to safety. Even so, this cannot be done without additional training and
guidance for its staff on how to apply the law and to use an important part of the UK system,
discretion.
NSD has produced quite extensive guidance for its staff, some of which is available to
the public and its nuclear site licensees, so that the standards can be understood by those who
need or wish to know. Even so, these standards need judgement to be used, and NSD’s
training helps staff to use them appropriately.
A major requirement is that licensees do as much as is reasonably practicable to reduce
risks, and this is a duty on all UK employers. The major difference for the nuclear industry is
that a licence will not be issued nor will permission be granted for activities that are
considered to be extreme risks.
When plant is found to meet NSD’s basic safety objective, or is broadly acceptable,
NSD does not actively seek more improvement, but the licensee must make any reasonably
practicable improvement, say, as a result of new technology.
212
The quality assurance programmes NSD looks for among its licensees are those based
upon international standards for nuclear plant, although it also finds references to British
Standards QA guidance in use.
Although NSD’s inspectors are not resident on the sites, they use licensees’ audit and
inspection results to judge whether all that can be done to ensure safety is being done. They
use licensees’ results with their own experience and knowledge of the legal and practical
problems with health and safely management to guide their own inspections. They are seeking
to ensure that managers carry out reviews from time to time to constantly improve safety on
their plants and to meet the ALARP principles at all times.
5. DOCUMENTATION
5.1. IAEA GUIDANCE FOR DOCUMENTS GENERATED BY THE OPERATOR AND
THE REGULATORY BODY WITHIN AN AUTHORIZATION PROCESS
5.1.1. Documents produced by the operator
Different types of documents are prepared by the operator in carrying out its
responsibilities with respect to safety of a facility. This includes three categories of
documents:
x Documents required by the regulatory body for formal approval at the various stages of the
authorization process;
x Reports that are submitted to the regulatory body periodically or, for events, incidents or
accidents which are identified in the regulations;
x Documents that are prepared for the conduct of the activities related to the facilities and are
made available to the regulatory body upon request.
5.1.1.1. Documents to be submitted to the regulatory body for review and assessment
In applying for a license, the operator provides all relevant information describing the
basic approach to safety in order to demonstrate that the nuclear facility will not present undue
radiological risks to workers, the public and the environment. This includes safety objectives,
principles, criteria, standards and analysis proposed for all authorization stages. The relevant
information is presented so that the regulatory body can conduct the review and assessment
process without needing to seek further information or clarification.
Basic information provided covers each stage of the authorization process including:
x Description of the site, including geography, demography, topography, meteorology,
hydrology, geology and seismology;
x Description of the facility, including layout of buildings and equipment;
x Applicable safety regulations, guides and industrial standards;
213
x Safety concepts and criteria used in the design of the facility, including the classification of
systems and components, the application of the defence in depth concept and the approach to
the issues related to the human-machine interface;
x Description of systems and components, including their design criteria, the processes
involved, the modes of operation and testing.
Analysis of the normal operation of the facility demonstrates the acceptability of the
design, including a demonstration that radiation protection criteria, waste management
requirements and effluent limits are met by the design.
The results of a safety analysis are provided to demonstrate how the design of the
nuclear facility and related operational procedures will contribute to the prevention of
accidents, and to the mitigation of accidents if they do occur. This analysis describes and
evaluates the predicted response of the facility to postulated initiating events which could lead
to fault conditions. These analyses are extended to relevant combinations of such
disturbances, malfunctions, failures, errors and events. Consideration should be given to
aspects such as the assumed initial conditions, the physical or mathematical models used, their
correlation with experiments, and the method of presenting the results.
These analyses show the extent to which the facility can control or accommodate
situations relating to the various events and fault conditions. The limits and conditions for safe
operation are defined. If any part of the analyses has been independently reviewed by another
organization, the results of this review are also presented to the regulatory body.
Information regarding organizational matters is formally presented for review and
assessment by the regulatory body. This includes a description of the quality system
established to ensure that all items are designed, manufactured, constructed, assembled,
tested, qualified, operated, maintained or replaced according to the safety requirements. This
includes, topics such as:
x
x
x
x
x
x
Management structure and resources;
Quality assurance arrangements including internal and external audit;
Organizational structure for the relevant stage of authorization;
Qualification and training of personnel;
Development of procedures;
Documents and records control.
Other plans and programmes that are established by the operator in support of its safety
activities are also submitted to the regulatory body for review and assessment. These include
areas such as:
x
x
x
x
x
x
x
214
Radiation protection programme;
Environmental monitoring programme;
Emergency preparedness;
Physical protection;
Fire protection;
Radioactive waste management;
Research and development in relation to the safe design, operation, decommissioning or
closure of the facility;
x
x
Operation experience feedback;
Decommissioning strategy.
5.1.1.2. Reporting by the operator
The requirements for periodic or progress reports and the general criteria for notifying
the regulatory body of events, incidents or accidents are specified in regulations or licence
conditions.
Periodic or progress reporting
Reports are submitted from the operator at predetermined times or after completion of
specific activities during the lifetime of the facility.
During site evaluation and construction, reports serve to keep the regulatory body
informed of the project development. These cover:
x Progress of site studies;
x Construction progress report;
x Results of the pre-operational environmental monitoring programme.
During commissioning and operation, reports are prepared to demonstrate to the
regulatory body the continuous safety of the facility. These cover:
x
x
x
x
x
x
Results of commissioning tests;
Operational data, including data on the facility’s output and performance;
Modifications;
Results of the radiation protection programme;
Results of the environmental monitoring programme; and
Radioactive waste management.
In order to enable the regulatory body to consider the release of any facility from
regulatory control, reports include details of:
x The amounts and destinations of radioactive
decontamination/dismantling programme;
x Levels of residual activity in the facility;
x Results of environmental monitoring programmes.
waste
resulting
from
the
Where it is necessary by the nature of the facility (e.g. for a waste disposal site), reports
should also include details of:
x The overall waste inventory;
x The sealing arrangements;
x Any institutional controls intended for the post-closure phase.
Notification and reporting of events, incidents or accidents
The operator notifies the regulatory body of any event considered significant to safety.
The time and type of notification is established in regulations and depends on the severity of
the event.
215
Depending on the severity of the events or the deficiency, an investigation should be
carried out by the operator and a report prepared and submitted to the regulatory body within a
specified period of time. The report covers details of the events, the findings of the
investigation and a proposal for corrective action.
Other reports
During site evaluation and construction, any changes in the design or major nonconformances that may affect safety evaluation are reported to the regulatory body prior to the
implementation of the changes. Any major design deficiencies identified during
commissioning or operation is also analysed and reported.
5.1.1.3. Records to be kept by the operator
The operator, having responsibility for the safety of the facility, keeps records of all
activities that are considered safety related. The records, although not formally submitted to
the regulatory body for review and approval, are made available upon request. Regulations
establish the types of records that are kept and their retention period. This takes into
consideration the possible future need to refer to the records and the difficulties of
regenerating the information.
Records of site evaluation and construction
Results of site evaluation studies (geological data, meteorological data, hydrology data
and results of the pre-operational environmental monitoring programme), construction design
records, manufacturing records (including shop quality control results) and erection records
(including quality control results and as-built design records) are kept in accordance with
established regulations. They may be useful in the investigation of any later events or generic
problems and in decommissioning.
Commissioning records
Records made during commissioning include equipment and system tests, test
procedures and the results. The results are thoroughly evaluated by the operator and this
evaluation should also be retained with the test results. The regulatory body monitors
commissioning of the facility very closely and reviews commissioning tests results at each
phase of the commissioning process before proceeding to the next phase. Retention of
commissioning test documentation is required by regulations.
Operation records
Operational records are the main documentation to be used in the routine monitoring of
safety by the regulatory body. This monitoring is conducted through the system of regulatory
inspections. The documents to be retained by the operator for possible examination by the
regulatory body include:
x
x
x
x
x
x
216
Output and performance records for the facility;
Operating log books;
Inventories of nuclear and radioactive materials;
Records of periodic calibration and testing of equipment;
Records of periodic testing of equipment and systems;
Records of in-service inspections;
x
x
x
x
x
x
x
Records of preventive maintenance and repairs;
Records of personnel training;
Records of personnel radiation monitoring;
Records of radiation monitoring and contamination records for the facility;
Records of radioactive waste management;
Records of effluent discharges and of the environmental monitoring programme; and
Records of fault conditions.
Records of modifications to the facility
All modifications relevant to safety and their evaluation are recorded for possible reexamination. The regulatory body periodically examines the complete set of modifications to
the facility in order to evaluate the effectiveness of the operator's control process and to ensure
that all modifications relevant to safety have been submitted for its approval, in accordance
with applicable regulations.
Evaluation and records of events
The event evaluation process and its results are recorded for all events above an
established threshold of significance. Periodic review of recorded events is performed to
identify trends and possible deterioration of safety levels. The regulatory body periodically
examines the complete set of events in order to evaluate the effectiveness of the evaluation
process, to ensure that procedures for notifications have been properly followed, and to
identify trends in the collective set of events recorded at the facility.
5.1.2. Documents produced by the regulatory body for a specific facility
The regulatory body treats the authorization process for each facility as a specific task
which generates specific documentation. This may be similar to the documentation of similar
facilities but should keep its individuality. The documentation can be categorized according to
the main continuous functions of the regulatory body: review and assessment, inspection and
enforcement, etc..
5.1.2.1. Results of review and assessment
The review and assessment performed by the regulatory body is discussed in Section 3.
It requires the evaluation of the documentation submitted by the operator described in the
preceding paragraphs.
Records of information exchange between the regulatory body and the operator
The process of review and assessment is conducted through exchanges between the
regulatory body and the operator which is formally recorded. These concern mainly:
x
x
x
x
Requests for additional information by the regulatory body staff;
Questions formulated by the regulatory body staff;
Responses by the operator (including those provided by its contractors); and
Records of meetings between regulatory body staff and operator personnel.
217
These records are kept in an organized way which provides the possibility of retrieval
according to different criteria, such as subject, type, date or originator.
Documentation of the review and assessment
At several stages of the authorization process a decision will have to be made whether a
licence is granted. The regulatory body records in the form of a report the basis for such a
decision. This report summarizes the review and assessment performed within the regulatory
body and provides a clear conclusion about the safety of the authorized activity.
Typically, the report covers the following topics:
x
x
x
x
x
x
x
x
x
Reference to the documentation submitted by the operator;
Basis for the evaluation;
Evaluations performed;
Comparison with regulatory requirements and guides;
Comparison with other similar (reference) facilities;
Independent analysis performed by the regulatory body, or by consultants on its behalf;
Conclusion with respect to safety;
Reasons for the decisions made;
Additional conditions to be fulfilled by the operator, if any.
5.1.2.2. Records of inspection activities
The primary purpose of inspection reports is to record the results of all inspection
activities and to provide the basis for notification of the inspection findings to the operator.
The format and content of inspection reports are discussed in Section 4. Inspection findings
are forwarded to the operator for necessary corrective actions. In some countries, the full
inspection report is forwarded to the operator. Caution should be exercised in identifying
individuals by name or post because of the possible implications for the individuals.
From time to time the regulatory body may find it useful to produce a synthesis report
covering a type of facility or a specific aspect and drawing together the findings from the
relevant inspection, review and assessment report.
5.1.2.3. Records of enforcement actions
Enforcement actions are taken in case of non–compliance. All enforcement actions are
recorded according to an established procedure in accordance with the legal and regulatory
practices. Whenever an urgent enforcement action has to be taken to ensure the safety of
workers, the public and the environment, this action is confirmed in writing as soon as
possible.
5.1.2.4. Licence document
The authorization process (see 2.2) is the principal mechanism connecting the legal
framework of the regulatory system (the law and regulations) with the responsibilities of the
principal parties (the regulatory body and the operator) which are affected by the regulatory
system. The principal purpose of regulations for a nuclear facility is to establish requirements,
218
both technical and administrative, that apply to persons, activities and facilities involved in a
nuclear programme. Such regulations provide a basis for the more detailed requirements
incorporated into licences. The license may also refer to non-mandatory technical guides or
industrial standards in part or as a whole, thus making them mandatory. The licence
establishes, directly or by reference, conditions governing the safe performance of these
activities.
Format of licences
The format of a licence depends upon the content of authorization and conditions
deemed necessary by the regulatory body for a given stage of the authorization process in
accordance with the national legal procedures. For example, the licence may incorporate by
reference the underlying documents and provide only material needed to define the basic
terms not already described elsewhere. Thus, the format of a licence will vary not only
between countries, but also within a country, from stage to stage and from licence to licence
for a given stage. The licence contains information such as:
x
Statutory authority: The licence explicitly refers to the law and regulations on which it is
based.
x
The issuing authority: The licence identifies the official designations of those who are
empowered by law or regulation to issue the licence; whose signature and stamp will
appear on the licence; and to whom the operator will be accountable under the terms of
the licence.
x
Fulfilment of requirements: The licence includes a summary statement that in respect of
safety all legal and technical requirements under the law for issuing licences have been
fulfilled and that the proposed activities can be carried out without undue radiological risk
to workers, the public or the environment.
x
Documentary basis: The licence identifies those documents provided by the operator in
support of the application and those developed by the regulatory staff during the review
and assessment process, which together form the basis for issuing the licence.
x
Relationship to other licences: The licence indicates whether it is contingent upon a prior
authorization or is a prerequisite to a future authorization.
x
The operator: The licence contains a precise identification of the individual or
organization both legally responsible for the licensed activity and in day-to-day control of
the facility.
x
Period of authorization: The licence states an effective date of authorization. It may also
include a termination date, which may be based on a fixed term, e.g. one or two years.
Alternatively a period will be stated over which the assumptions underlying the licensing
decision will remain valid and at the end of which the basis for licensing will be reexamined.
x
Licensed activity: The licence clearly describes with sufficient precision the nuclear
facility, its location and the authorized activity.
219
x
Operator’s responsibility for compliance: The licence contains an appropriate declaration
that the operator has the responsibility for compliance with the legal requirements,
regulations and conditions referenced or contained in the licence or otherwise applicable.
The licence should also state that such responsibility is not transferable.
Licence conditions
Licence includes explicitly, or imposes by reference or attachment, conditions
determined by the regulatory body which are obligations with which the operator is required
to comply. Law and practices relating to licensing vary in states. Some states specify
conditions in the law and in regulations of the regulatory body, merely referencing them in the
licence, while other states include some or all conditions explicitly in the licence.
Licence conditions cover as appropriate all safety-related requirements affecting the
siting, construction, commissioning, operation and decommissioning or closure of the nuclear
facility to enable effective regulatory control. These include such important aspects as: design
requirements; radiological protection; emergency procedures; modifications; quality
assurance; operational limits and conditions; procedures; and authorization of personnel.
While the conditions may vary in format, there are certain basic qualities that
characterize the set of conditions to make them understandable and effective. Each condition
is consistent with all other conditions in that the fulfilment of one should not be in conflict
with the fulfilment of another or with any other legal requirement. It might be useful to group
the conditions into logical types, such as conditions which set technical limits and thresholds,
conditions which specify procedures and modes of operation, conditions pertaining to
administrative matters, conditions relating to inspection and enforcement requirements, and
conditions regarding response to abnormal circumstances. Table XV presents examples of
general and stage specific licence conditions.
220
221
The operator does not extend its activities beyond those specifically
authorized in the licence without the prior approval of the regulatory body.
The operator develops, preserves, updates and maintains a complete set of
records related to the safety of the facility, including those referenced in the
applications, and those required by law, regulations and the licence, and
does not dispose of them except as authorized by the regulatory body.
The operator carries out its activities in accordance with an approved quality
assurance programme covering all stages of the authorization process, to
provide a basic framework for ensuring that every step is carried out with
due regard for safety.
The operator reports facility modifications in accordance with requirements
established by the regulatory body.
The operator reports all accidents, incidents and events related to safety as
may be required by the regulatory body.
x
x
x
x
The operator takes such corrective actions or measures as the regulatory
body may require in the interests of safety.
The operator keeps the regulatory body fully and continuously informed
with respect to any significant or potentially significant events or changes in
the considerations, information, assumptions or expectations upon which the
issue of the licence was based.
x
x
x
x
General licence conditions include the following:
x The operator provides the authorized representatives of the regulatory body
with full access to personnel, facilities and records that are under the
operator's control, where such access is deemed necessary by the regulatory
body to determine compliance and to assess safety.
TABLE XV. EXAMPLES OF GENERAL AND STAGE SPECIFIC LICENCE
CONDITIONS.
The operator initiates a pre-perational radiological study of the region
including an appropriate baseline survey.
x
Commissioning is carried out in accordance with a programme approved by
the regulatory body.
Completed structures, systems and components important to safety are not
put into service until they have been inspected, tested and approved as being
in accordance with the terms of the licence.
x
x
Commissioning: When authorizing commissioning of the nuclear facility, the
regulatory body specifies a number of conditions, including the following:
Furthermore, at the time of authorizing of the construction, conditions may be
imposed on the operator requiring that it obtain from the regulatory body
additional approvals relating to the design of certain parts of the nuclear
facility.
The nuclear facility is constructed in accordance with the design which has
been approved by the regulatory body. The operator does not deviate from
the approved design in any way that might affect safety without the prior
approval of the regulatory body.
The nuclear facility is designed and constructed in accordance with the
relevant site parameters approved by the regulatory body.
x
x
Construction: When authorizing construction, there are several conditions which
are necessary to ensure that this stage can proceed in a manner that ensures the
safe operation of the nuclear facility. These conditions include the following:
Site preparation: When authorizing a site, the regulatory body specifies the
controls which the operator is required to exercise over use of the site and the
degree to which the operator may prepare the site, without conducting activities
which, under the law and regulations of the state, require a construction licence.
Stage specific licence conditions include the following:
222
Fissile or radioactive material is not brought onto the site without regulatory
authorization.
Beginning with the introduction of fissile and radioactive material into the
facility, the operator operates the facility only under the control and
supervision of authorized personnel using written procedures in accordance
with the operational limits and conditions approved by the regulatory body.
Any changes made to these limits and conditions have prior approval of the
regulatory body.
The operator has an approved emergency plan, co-ordinated with the other
authorities involved in emergency preparedness
x
x
x
The operator has a modification procedure approved by the regulatory body
to ensure that no part of the approved facility important to safety will be
modified without the prior approval of the regulatory body.
The operator ensures that the nuclear facility is subjected to in-service
inspection and testing to be carried out as specified for structures,
components and systems important to safety to a time schedule approved by
the regulatory body.
The operator ensures that maintenance of safety related equipment and
systems is carried out in accordance with a schedule approved by the
regulatory body.
x
x
x
Operation: In authorizing routine operation the conditions imposed under
commissioning are appropriately amended in the light of commissioning results.
The regulatory body adds conditions such as the following to this licence, when
deemed necessary:
x The operator does not operate the facility in excess of the maximum
capacity level authorized by the regulatory body.
The operator provides approved storage facilities for nuclear materials. The
regulatory body may require appropriate physical security measures to be
effective before nuclear material is brought into the facility.
x
The operator ensures that the nuclear facility is only operated under the
control and supervision of authorized personnel in adequate numbers
acceptable to the regulatory body.
No changes are made to the arrangements, schedules, procedures or rules
that have been approved by the regulatory body without such changes being
given prior approval by the same body.
Closure: Following closure of a waste disposal facility, continuing control,
including environmental monitoring, may be needed. Depending on national
legislation, requirements may be contained within a post–closure licence held by
the operator or responsibilities may be taken by a relevant national authority
prior to agreement to closure.
Decommissioning: When authorizing decommissioning of a facility, the
regulatory body takes particular care in specifying legally binding requirements
to ensure compliance, since the sanction of shutting down the facility or revoking
the licence is unlikely to be very effective at this stage.
Other possible licence conditions relating to such matters as the liability of the
operator in the event of accidents are not included.
x
x
5.2. COUNTRY SPECIFIC APPROACHES AND EXAMPLES
5.2.1. Use of licensing and commissioning documents in Finland [16]
In the following, licensing and commissioning practices in Finland are presented as an
example of a possible approach. The role of licensing documents is stressed.
5.2.1.1. Decision in principle of the Council of State
The siting and construction of a nuclear power plant requires the decision in principle of
the council of state stating it is in line with the overall good of society. The application is
supplemented with the documents listed below.
In accordance with Nuclear Energy Act, STUK makes a preliminary safety assessment of
the application. The safety assessment deals with the potential for complying with the provisions
of the Nuclear Energy Act and Decree and with the provisions of the Decisions of the Council of
State. STUK therefore presents in its safety assessment whether factors have arisen indicating a
lack of sufficient prerequisites for constructing a nuclear facility.
Documents to be submitted to STUK
An applicant forwards to STUK the documents dealing with the plant options in
question. The documents aim to prove that the plant options comply with the regulations in
force. For each facility option, the documents shall cover i.a. the following items:
x Description of the facility and its reactor, primary circuit and containment as well as other
safety systems;
x Reference to facilities which have served as models and a description of the most
important changes in comparison to them;
x Description of the safety analyses performed for the facility; and
x General plans for the facility’s implementing organization, the suppliers of the facility and
the most important systems and components as well as quality assurance during
implementation.
As regards each facility option, STUK requests, at its discretion, other information
necessary for the preliminary safety assessment.
5.2.1.2. Construction licence
A nuclear power plant construction licence shall be applied for from the council of state.
The application shall be supplemented with the documents listed in the Nuclear Energy Decree.
STUK issues a statement on the application for a construction licence. The statement is
supplemented with a safety assessment.
Documents to be submitted to STUK
The requirements for the licensing documents are described below. STUK gives a
statement on the construction licence application after having approved the following documents
by a separate decision.
223
Preliminary safety analysis report: The purpose of the preliminary safety analysis report
(PSAR) is to demonstrate that safety regulations and factors affecting safety have been
adequately covered. In the PSAR, at least the following items are to be accounted for: a
description of the nuclear power plant’s safety principles and other design criteria and their
fulfilment, a detailed description of the plant and the site, a description of plant operation and
behaviour in transient and accident conditions and the environmental impact of the plant’s
operation. Preliminary liaison with STUK on the contents of the safety analysis report is
required.
In the PSAR, a reference shall be made to the topical reports which play an essential role
in the assessment of the safety analysis report. The purpose of topical reports is to give a detailed
description of the kind of experimental research and theoretical analyses on which the plant’s
design is based. The reports may be related to the facility in question or to an other facility of a
similar type designed by the same supplier. Topical reports concerning i.e. the fuel, reactor,
reactor pressure vessel, safety systems and containment shall be submitted. The reports shall
present research results important to design and detailed descriptions of the calculation models
employed for design and the codes employed for computer analysis. Topical reports shall be
forwarded to STUK for approval so that they can be reviewed not later than in conjunction with
the review of the corresponding item in the safety analysis report. The requirements for accident
analyses are presented in guide YVL 2.2.
Proposal for a classification document: The classification by their safety significance of
structures, systems and components important to the nuclear power plant’s safety shall be
presented in the classification document. Safety class affects the requirements placed on design,
manufacture, installation, testing and inspections. STUK’s regulatory control as regards each
item is determined on the basis of the safety class. The safety classification requirements are
presented in guide YVL 2.1.
Quality assurance for construction: The systematic procedures followed in their quality-related
activities by the organizations taking part in the nuclear power plant’s design and construction
shall be presented in quality assurance programmes. In addition to the licence applicant’s quality
assurance programme, the quality assurance programmes of at least the facility’s main supplier,
the supplier of fuel and the most important components and equipment shall be submitted to
STUK for review. STUK also requests for review, at its discretion, the quality assurance
programmes of other organizations which play a significant role in the carrying out of the facility
project. The quality assurance requirements are presented in guide YVL 1.4.
Plans for physical protection and emergency response arrangements: Physical protection aims
at thwarting any unlawful activities against a nuclear power plant. A plan for physical protection
during nuclear power plant construction and operation is presented in the preliminary security
plan. The plan deals with plant protection by structural means and with administrative
procedures.
Emergency response arrangements are intended to restrict nuclear damage at the nuclear
power plant and on-site in the event of an accident. A plan for emergency response arrangements
during nuclear power plant operation is presented in the preliminary emergency plan. The plan
deals with the taking into account of emergency response arrangements in plant design, and with
administrative procedures. Detailed requirements are presented in guides YVL 6.11 and
YVL 7.4.
224
Plan for the arrangement of the necessary control to prevent the proliferation of nuclear
weapons: Safeguards controls aim to ensure that nuclear materials will not be used for the
fabrication of nuclear weapons or other nuclear explosives. The plant design data, which include
basic information of plant layout and operation and a description of safeguards control at the
plant, is presented in the plan for the arrangement of control. The requirements concerning
safeguards control and STUK’s regulatory control measures are presented in guide YVL 6.1.
Preliminary probabilistic safety assessment (mini-PSA): Mini-PSA means a preliminary
analysis at Level 1 of the probabilistic safety assessment (PSA). Level 1 constitutes the first part
of the safety assessment in which the probability of reactor core damage is analysed. The MiniPSA is based on the design phase facility plan and examines the most important accident
initiating events. The requirements concerning probabilistic safety assessment are presented in
guide YVL 2.8.
5.2.1.3. Operating licence
A nuclear power plant operating licence is applied for from the council of state. The
licence application shall be supplemented with the documents listed in the Nuclear Energy
Decree. STUK issues a statement on the application for an operating licence to which a safety
assessment is attached.
Documents to be submitted to STUK
When applying for an operating licence, the documents referred to in the Nuclear Energy
Decree shall be submitted to STUK for approval. The requirements for these documents are
presented below. STUK gives a statement of the application for an operating licence only after
having approved of the essence of each of these documents by a separate decision.
Final safety analysis report: The general requirements for the preliminary safety analysis report
also apply to the final safety analysis report. The safety analysis report together with its accident
analyses and topical reports are based on actual nuclear power plant systems, structures and
components. As a rule, the safety analysis report is made in Finnish. On application, STUK may
give its approval for separately defined parts of the safety analysis report to be written in some
other language only. In addition to the information on the nuclear power plant and the plant site,
also descriptions of plant commissioning and operation is presented in the final safety analysis
report.
Probabilistic safety assessment: A probabilistic safety assessment (PSA) contains analyses at
PSA Levels 1 and 2. Level 2 means an assessment of the likelihood and quantity of the releases
of radioactive materials. The analyses are based on actual nuclear power plant systems,
structures and components.
Quality assurance programme for operation: The systematic procedures which during nuclear
power plant operation are applied to activities affecting quality are stated in the quality assurance
programme for operation. The requirements for the quality assurance programme are presented
in guide YVL 1.9.
Technical specifications: The technical specifications determine the limit values for the process
parameters most important to safety which are to be observed in the plant’s various operational
states as well as the limitations caused to plant operation by possible component failures. The
225
technical specifications also state the requirements for the tests and inspections important to
safety by which the operability of systems and components is periodically ensured. Furthermore,
the technical specifications determine the minimum number of personnel required to be present
during the various nuclear power plant operational states as well as the radioactive materials
release limits.
Summary programme for in-service inspections: The in-service inspections of components and
structures important to safety to be conducted periodically after commissioning, are laid down in
the summary programme for in-service inspections. The programme contains the items
scheduled for inspection and their scopes, methods and periods of inspection. The in-service
inspections requirements are presented in guide YVL 3.8.
Physical protection and emergency response arrangements: Plant lay-out, systems and
components as well as the structure and areas of responsibility of the plant’s operating
organization are taken into account in the security and emergency plans.
Arrangement of the necessary control to prevent the proliferation of nuclear weapons: The
arrangement of control is presented in the manual for the nuclear materials accounting and
control system. The requirements concerning the accounting and control system are presented in
guide YVL 6.9.
Administrative rules: The duties, authority and responsibility of a nuclear facility’s responsible
manager, his deputy and the personnel directly required to operate the facility are specified in the
administrative rules. Furthermore, the administrative rules state the competence requirements for
the personnel. The duties, authority and responsibility of the licensee’s organizational units are
more extensively presented in a separate organizational manual or some other corresponding
document which is forwarded to STUK for information.
Environmental radiation monitoring: The systematic measures to monitor the occurrence in the
nuclear power plant’s vicinity of radioactive materials originating in the nuclear power plant are
presented in the environmental radiation monitoring programme. Measures in accordance with
the programme are initiated already prior to the plant’s commissioning. The requirements for the
environmental radiation monitoring programme are presented in guide YVL 7.7.
5.2.1.4. Regulatory control of construction and commissioning
According to the Nuclear Energy Decree, the various phases of nuclear facility
construction may be started only after STUK is satisfied for each phase. STUK exercises
detailed control over the construction of the facility. This control aims to ensure that the
conditions of the construction licence, the regulations which apply to pressure vessels and the
approved plans are complied with and that the nuclear facility is built, also in other respects, in
accordance with the regulations issued by virtue of the Nuclear Energy Act. During construction,
control is focused on the working methods in particular to guarantee high quality. Inspection and
testing of nuclear facility systems, structures and components can be performed only by the
licensee or, in his place, by an inspector or an inspection facility that has been specifically
accepted by STUK for this purpose.
The licensee shall appoint a responsible manager and his deputy for the construction of a
nuclear facility who have approval from STUK for this job. The qualifications required of the
responsible manager are presented in the Nuclear Energy Decree.
226
Management of and quality assurance during construction
A high level safety culture and efficient quality assurance shall be observed during
nuclear power plant construction. Apart from the licensee, this also applies to all the
organizations participating in the project whose activities affect the safety of the nuclear
power plant. STUK oversees construction project management and quality assurance during
construction by inspections carried out at its discretion. I.a. the following items are subject to
inspections:
x
x
x
x
x
Organizational structure and conduct of management;
Competence and adequacy of personnel;
Review of issues relevant to safety;
Implementation of quality assurance, overall and in various sectors;
Control by the licensee over the implementation of his own quality assurance and that of
the suppliers and subcontractors.
Concrete and steel structures
STUK controls erection of buildings and manufacture of concrete and steel structures
important to safety. This control contains:
x
x
x
x
x
Pre-inspection of structures;
Inspections at the construction site concerning readiness to start work;
Inspections concerning manufacture;
Construction inspections of steel structures; and
Commissioning inspections.
Safety class of structures is taken into account when determining the scope of control and
when setting the requirements. The requirements for and control of concrete and steel structures
are presented in guides YVL 4.1 and YVL 4.2.
Only organizations and individuals that have been granted approval by STUK are
allowed to perform licensed inspection and expert duties relating to concrete and steel structures.
guides YVL 1.3 and YVL 4.1 present these duties and the procedures of granting approval.
Components
STUK controls the manufacture of pressure vessels and other mechanical components
for nuclear power plants. This control contains:
x
x
x
x
Pre-inspection of components;
Inspections concerning manufacture;
Construction inspections; and
Commissioning inspections.
The safety class of components is taken into account when determining the scope of
control and when setting the requirements. The requirements for and control of mechanical
components are presented in YVL guides, categories 3 and 5. Only organizations and individuals
that have been granted approval by STUK are allowed to perform licensed inspection and expert
227
duties relating to mechanical components. Guide YVL 1.3 presents these duties and the
procedure of granting approval.
STUK controls also the design, manufacture and installation of electrical and
instrumentation equipment for nuclear power plants. The scope of control contains:
x
x
x
x
Pre-inspection of components;
Inspections concerning manufacture;
Inspections concerning installation; and
Commissioning inspections.
Safety class is taken into account when determining the scope of control and when setting
the requirements. The requirements for and control of electrical and instrumentation equipment
are presented in guide YVL 5.5.
Procurement of nuclear fuel
According to sections 114 and 115 of the Nuclear Energy Decree, STUK controls that
nuclear fuel is designed, manufactured, transported, stored, handled and used in conformity with
valid regulations. The nuclear fuel licensing procedure and STUK’s regulatory control are
presented in other YVL guides explaining the requirements which apply to the design,
manufacture, transport, handling, storage and use of nuclear fuel.
5.2.1.5. Preparations for operation: organization and training
Pursuant to the Nuclear Energy Decree, STUK controls that the organization operating
the facility is adequate and appropriate and that the individuals participating in the use of nuclear
energy meet the qualifications required and that proper training is arranged for them.
Development and training of the organization for operation shall begin early enough during the
construction of the nuclear power plant.
When reviewing the administrative rules and organizational manual, STUK assesses the
appropriateness and adequacy of the organization and the qualifications required.
According to the Nuclear Energy Decree, the licensee shall appoint a responsible
manager and his deputy for the operation of a nuclear power plant who shall have approval from
STUK for this job. Furthermore, pursuant to the Nuclear Energy Decree, the licensee shall
appoint persons responsible for emergency response arrangements, physical protection and
safeguards. Those appointed to the duties referred to above must have approval granted by
STUK for their specific jobs. Pursuant to the Nuclear Energy Decree, the operator of the facility
systems in the main control room of a nuclear facility must have STUK’s approval for the job.
The plan for the hiring of personnel referred to in guide YVL 1.7, the time of their hiring
and initial training programmes, shall be submitted to STUK for information. STUK controls the
implementation of the initial training programmes by inspections conducted at its discretion.
Prior to the start of the operation of the nuclear power plant, STUK inspects that the
qualifications required are fulfilled. The requirements for the training of nuclear power plant
personnel and operator licensing are presented in guides YVL 1.6 and YVL 1.7.
228
Commissioning
A trial run is an essential part of a nuclear power plant’s commissioning. It serves to
demonstrate that the plant is built and operates according to design. The trial run is divided
into the following main parts: systems tests, fuel loading and pre-criticality tests of reactor
systems, reactor criticality and tests at low power, and tests at various power levels. STUK
controls nuclear power plant trial runs by reviewing the overall trial run plans and programmes,
by witnessing the tests conducted at the power plant and by inspecting the trial run result reports.
Nuclear power plant operation is considered to begin when the loading of nuclear fuel
into the reactor is started. At this stage, to ensure that the plant conforms to the regulations
which apply to it, STUK inspects, according to the Nuclear Energy Act, that:
x Documents concerning the operation of the plant are acceptable in every respect;
x Operating procedures, the procedures for transients and emergencies included, are
adequate;
x The organization operating the nuclear power plant is adequate and appropriate;
x Persons taking part in the use of nuclear energy are qualified as required;
x Persons who have approval from STUK have been appointed as the responsible manager
for the operation of the plant and his deputy;
x There is a sufficient number of licensed operators at the plant;
x For the operation of the plant, persons responsible for the emergency response
arrangements, physical protection and safeguards have been appointed, who have approval
from STUK;
x Commissioning inspections with acceptable results have been carried out for plant
systems, components and structures;
x The results of systems tests are acceptable in so far as the trial run can be accomplished
without the reactor;
x Basic inspections of structures and components have been accomplished;
x Physical protection and emergency response arrangements are sufficient;
x The necessary control to prevent the proliferation of nuclear weapons has been arranged
appropriately; and
x The licensee has, as prescribed, arranged indemnification liability in case of nuclear
damage.
Reactor loading may be started when STUK has approved the loading application and the
reactor and fuel behaviour reports for the first fuel cycle. The reactor may be made critical and
brought to a higher power level in conformity with STUK’s decisions.
When the trial run has ended, the licensee and STUK will carry out an overall assessment
of the results. Based on the results of the trial run, also the technical specifications are
reassessed. Based on the assessment the licensee makes in the document, the necessary changes
approved by STUK. The requirements for and control of the trial run are presented in guide
YVL 2.5.
229
5.2.2. Structure and content of the QA manual (Germany)
During the commissioning of GKN unit 2, the authorities required a quality assurance
manual (QM) pertaining to obtain the operating licence. The design and the content of this
manual was developed together with the representing authority and their appointed
independent experts (TÜV).
The major goal of the authority requirement for a QA manual, was to collect all items
of QA relevance into one manual as a standard and to certify them on the base of the actual
international publications of QA rules. The result is a paper where each employee of the plant
can easily find all rules and regulations in a clearly articulated and structured manual to ensure
a safe and reliable plant operation.
The QA manual has two parts. Part one is the quality assurance programme that is a
brief description of the QA regulations at GKN. Within 80 pages, an overview is given of all
QA items. Part two includes the detailed instructions for all QA items and consists of
approximately 800 pages.
The reasoning behind this structure is the German method of a specific regulatory
control: the authority is only responsible for the administrative tasks because normally their
employees do not have any technical background. To examine e.g. modifications from the
technical point of view, an independent expert is appointed (TÜV or other independent
organizations) which is then obliged to directly report to the authority.
To avoid finding that all documents have to be evaluated and licensed by the
responsible authority, only documents with essential and substantial subjects are classified as
a safety specification (SSP). It is not allowed to modify SSP without approval given by the
responsible authority. All other documents which are not SSP but which contain safety related
regulations, are approved by the TÜV without authority participation, however, the
responsible authority receives all informative assessment reports from the TÜV. Correlating to
this philosophy, part one of the QM is classified as SSP and part two of the QM only has to be
approved by the TÜV. Most manuals are designed in the same manner.
The QM has two parts. Part 1 is the QA programme and part 2 includes several
detailed QA instructions for specific items. The general structure of the QM is as follows:
x
x
x
x
x
x
x
x
x
x
x
x
x
230
Introduction and objectives;
Scope of application;
Internal organization principles;
Organization;
Plant modification procedure;
Plant operation;
Procurement and storage;
Manufacturing;
Arrangement system and distinguishing;
Preventive maintenance;
Repair;
Commissioning after modifications;
Periodic tests;
x
x
x
x
x
Surveillance of measuring- and test-equipment;
Handling of deviation;
Experience feed back;
Document handling;
Surveillance of the QA system.
Further on each QA item is described in detail.
Plant modification procedure
As an authority requirement, all nuclear power plants in the region of BadenWürttemberg have the same modification procedures. This procedure is described in detail in
part 2 of the QM. In particular the classification of the modification is tightly regulated due to
the components concerned. There are 4 modification categories:
x
x
x
x
Cat. A: Licensing needed before modification can proceed (e.g. increase of power);
Cat. B: Licensing procedure (e.g. modification of SSP);
Cat. C: Assessment by TÜV;
Cat. D: Own response modifications.
Plant operation
The objectives of plant operation are regulated in detail within the operation manual
(OM). Several OM Chapters, which are marked as SSP are as follows:
x
x
x
x
x
x
x
Work permission procedure;
Control room and shift regulations;
Radiation protection regulations;
Fire protection regulations;
Personnel injury regulations;
Alarm regulations;
Physical protection regulations.
All other aspects of plant operation are also described in the QM.
Procurement and storage
An essential part of QA in NPPs is based on management of controlled spares.
Therefore the following aspects:
x Selection and assessment of manufacturers;
x Warehouse control of incoming items;
x Storage;
x Spares issue.
must be very strictly regulated in order to avoid component failures.
231
Manufacturing
Manufacturing as a special part of the above item, has to focus on the documentation.
Especially when the TÜV is involved, a special procedure of handling the manufacturing
documents and the investigation of the production of spare parts is necessary. This is equally
valid for work done by contractors as well as for work done on site.
Arrangement system and distinguishing
Correct identification of components, spare parts and documents are essential
prerequisites of a safe plant operation. Therefore a detailed regulation is contained within
several QA instructions.
Preventive maintenance
Preventive maintenance, among other things, is equivalent to periodic tests, an item
with the highest grade of regulation depth. The regulations are contained in several different
documents. So the QM has to point out the maintenance philosophy and to refer to the
different documents. The major questions to be answered are as follows:
Who is competent/responsible?
The responsibilities have to be defined very clearly without any overlapping;
Personnel oganization (part of the OM);
Work permission regulations (part of the OM);
What must be done?
All components/systems have to be listed;
Maintenance list which is part of the maintenance manual);
When does it have to be done?
For every component to be maintained, an interval must be defined;
Maintenance list (part of the MM);
How does it have to be done?
For every component to be maintained, detail instructions for dismantling;
Controlling and assembling have to be created;
Maintenance instructions (part of the MM);
What about plant safety?
There are a lot of restrictions caused by the availability of the safety systems. Possible
unavailability has to be analyzed for each plant state (full power, shutdown, a.s.o.).
Prohibited and corrective actions must be defined;
x Regulations for power operation (part of the OM);
x Regulations for shutdown condition (part of the OM);
x System safety classification list (QA instruction, part of the QM).
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
Repair
Repair of damage on components must be done taking into consideration the same QA
aspects as described above for the preventive maintenance. In addition, the procedures
pertaining to event reporting and experience feedback must also be regulated. Experience
feedback has it’s own chapter in the QM. Reporting criteria for events. National and
international scale (part of the OM).
232
Commissioning after modification
Large plant modifications such as the installation of e.g. new systems or an increase of
power in the plant, must be tested afterwards in a similar way as the first plant commissioning
was done. Responsibilities, necessary procedures (system check, pressure test, a.s.o.) and
sequences, have to be regulated as well as the forms which are to be used. Preparation of
commissioning documents (QA instruction, part of the QM).
Periodic tests
To assure a safe plant operation, periodic tests are an essential prerequisite. They
certify the component reliability between the various maintenance activities. Latent failures
need to be identified immediately. Especially within the I&C, which has no preventive
maintenance, there is a major field for periodic tests. Similar to the preventive maintenance,
periodic tests affect plant operation in a far- reaching way and the same questions must be
answered. The regulations are held within several different documents. The QM then sets out
the testing philosophy and refers to the different documents. The major questions to be
answered are the same as those presented for preventive maintenance:
Surveillance of measuring- and test-equipment
Measuring- and test-equipment must be calibrated as an essential prerequisite to ensure
reliable periodic testing procedures. Test equipment must be classified, listed and calibration
intervals must be fixed. Responsibilities must also be regulated.
Handling of deviation
Deviation is the failure of the detected actual condition to match the desired condition.
Deviations can be either administrative (procedures) or technical. The QM describes a general
procedure for handling deviations. Analysing procedures, internal and external reporting,
information of the responsible authority, remedial actions and precautions against repetition
are only some items that must be regulated. The QM has no relevant procedure for all of the
various deviations but it refers to several documents which regulate deviations in special cases
(e.g. fault reports) and it describes the general philosophy of deviation handling.
Experience feedback
Experience feedback is an important part of the QA system. It helps to avoid faults and
events. Therefore a local procedure was created which deals with all essential items beginning
with a root cause analyses above reporting to the authority and ending with the decision to
realise plant modifications.
Document handling
A joke says, if our descendants will dig out an NPP in some thousand years, they will
conclude that it is a paper factory with all their product still in stock.
In view of such an incredible amount of documentation and the absolute necessity to
keep it up to date and available for everyone, one can imagine how important it is to have a
233
detailed procedure for document handling, arranged in a clearly defined structure. The
following items must be regulated:
x
x
x
x
x
x
Responsibility for document content;
Responsibility for document servicing;
Responsibility for document proving and release;
Document design layout and structure;
Distinguishing;
Archiving.
Especially the modern archiving systems such as micro films and micro fiches
including further the development of computer data memory, brings a lot of changes along
with the need of detailed regulations for documentation manual and document handling
(QA instruction, part of the QM).
Surveillance of the QA system
Just creating a QA manual is not enough to guarantee a high quality in plant operation.
Education of personnel is equally necessary. In QA, training in use of procedures makes
people aware of the importance of QA, and also helps to convey a deeper understanding for
the relationship of all QA aspects. The third step necessary is good control of the QA system.
There is no need to control people if the rules are being followed, but one must also check the
applicability of the procedures.
An audit team is responsible for audits and to co-ordinate them together with the
concerned departments. Afterwards a written report must be supplied to the Plant Director.
Deviations found by the audit team must be commented with suggestions for improvements.
The management decides upon the implementation of the improvements suggested. After
implementation, an audit follows which will check and confirm the improvements. (Internal
Audits (QA instruction, part of the QM))
5.2.3. Use of the licensing documents and updating procedures
The licensing documents are the bases of the contract between the licensee and the
safety authority. They should be sufficient for the licensing process and provide enough
details to allow conformity inspections.
Generally, a lot of documents are referenced in the Safety Analysis Reports. Thereby,
these documents belong to the reference and should be provided at request for assessment.
5.2.3.1. Use of the documents
Assessment of the documents can be done in different ways, but which can
complement each other.
Use of detailed adapted regulation
The first and most usual way of assessing plant safety from documentation is to check,
step by step and topic by topic that the relevant guides are properly applied or that another
234
convincing method has been implemented to reach a safety level at least equivalent. The
Section 5.2.1 shows, as an example, the correspondence between each licensing step and/or
each specific item and the Finnish system of guides.
Such a verification is needed as these documents are the base of the regulatory system
in the country but this method has few chances to lead to the discovery of unexpected
difficulty as the applicant built this documentation while using the same logic.
Use of internationally available review process
In countries where the regulation is less extensive the use of the standard review plan
developed in the USA in coherence with the Safety Analysis Report plan (RG-1.70) can be
useful. But each formalised list of questions is limited by nature and as these documents are
difficult to update, the latest developments in safety will not be covered.
In addition such rather general documents could be more or less influenced be specific
designs and cultures.
Considering the operating procedures to be applied in accident conditions, the high
performances characteristic for most western plants lead to rather short grace periods.
Operating personnel are not always graduate engineers. Detailed procedures, easy to use
without additional deep thinking, are strictly necessary.
For VVER 440 units, the very large thermal inertia provides hours prior to any
significant damage to the fuel for a significant list of abnormal conditions such as the
complete loss of power or the complete loss of steam generator feed-water. The scientific
knowledge of the operating personnel is generally recognised (and must be checked in any
case as a specific item of the review). A different type of procedure can be acceptable to cope
with these situations and still ensure safety .
Cross checking examination
Following the same logic that the applicant’s gives few chances to find unsatisfactory
aspects. It can be beneficial to use other methods, such as the consistency of the operating
rules with the design assumptions and requirements.
Two examples will illustrate this approach:
1.
Average primary circuit temperature/pressure diagram (see Fig. 17): The authorized
working region must be the translation in operational terms of several design
assumptions. Checking the appropriateness of each limit will insure appropriate margins
during operation. The limit Psat, (Tsat — 30°C) provides a satisfactory margin for
pressurizer operation, and avoids boiling elsewhere in the primary circuit. The limit Psat,
(Tsat — 110°C) restricts the maximum temperature difference between the pressurizer
and the hot line and decreases the fatigue effect in the pressurizer and the surge line
during the operational transients.
235
Pressure in bars
French 1300 MWe PWR
n
160
155
140
Saturation curve + 110 bars
SG tubes
120
Temperature
variation
d 28°C/h
Saturation curve - 110°C
Surge line
100
Maximum RHRS temperature
80
Saturation curve - 30°C
Low limit of connection
between RHRS and RCS
60
Presuriser operation
Protection against overpressure
Saturation curve
40
31
27
25
Primary pumps NPSH limit
20
0
0
50
100
150
160
180
Mean primary temperature
°Co
200
250
297,2
306,5
FIG. 17. Average primary circuit temperature/pressure diagram.
The limit (Psat + 110 bar), Tsat limits the maximum pressure difference on the steam
generators tubes.
The limit at 160°C provides margin against sudden rupture of the reactor vessel at the end
of its life (Nil Ductility Transition Temperature — NDTT). Below this limit, the
protection against over pressure in the primary circuit is done by the residual heat
removal system and is efficient at 35 bar instead of 172.3 bar.
The maximum temperature variation speed in normal condition, d 28 qC/h, is consistent
with the design conditions of the pressure vessel (200 full range cycles over the plant
life). In case of incidental depressurisation, the limit is 56 °C/h (acceptable 20 times over
the plant life). The plant monitoring can be helped by computer assistance showing the
operation status inside the diagram.
2.
Analysis of the incident and accident procedures: It is current practice to check:
x
x
The limits of accidental conditions covered by the procedure;
The symptoms and information needed to make the diagnosis;
236
x
x
x
The operation strategy compared to the accident analysis;
The conditions of staff training; and
The interface with non affected plant equipment.
It is also important to establish the complete list of equipment and information
available during the management of the situation to assess:
x
x
x
x
x
x
The qualification of the equipment to operate in the conditions of the accident as
considered in the design such as ageing, radiation, temperature, humidity, seismic
conditions;
The measuring range;
The accuracy of the sensors and indicators compared to the specific needs (this is
particularly important for the measurement of the water level in the reactor vessel in
symptom oriented procedures);
Periodic testing frequency and acceptance criteria;
The required availability in operating conditions and limits;
The documentation and training up dating.
As these areas of assessment tend not to have been systematic in the past, significant
findings are to be expected.
5.2.3.2. Documentation updating
During the operation period, a large part of the documentation provided with the final
safety analysis report related to the description of the plant, the design basis and the safety
systems do not need updating. Such documentation should even be applicable to several units
if they replicate each other. A flexible practice should make it possible to have a basic
description of standard plant documentation, specific site documentation and, for each unit,
specific data such as “as built” information”.
Documents related to the operation phase like technical specifications, operating
procedures, periodic testing program, preventive maintenance, etc. need periodic review and,
to some extent which can differ from a country to an other, regulatory agreement prior to
implementation. This practice of preliminary agreement helps define the conditions for up
dating.
The third case relates to the updating of operational documents and general
documentation available for the operating team after a plant modification. These documents
shall be modified strictly at the time the new conditions are considered as operational to
ensure continuity between the plant, its description and the operational practices. Clear
indexation of the documentation to meet the QA requirements is also vital. Modified
documents should even be available for training prior to the effective use of the modification.
Documentation review is needed every 10 years for the periodic safety review as it
provides the starting point for this assessment. Definition of the revised shape is a part of the
periodic safety review process to be defined by the regulatory body.
237
6. DEVELOPING SAFETY
6.1. THE ROLE OF THE REGULATOR IN THE DEVELOPMENT OF SAFETY
CULTURE
The basic concept of safety culture has been presented in the INSAG-4 report [10] (see
Fig. 18). The approach to developing safety culture has much in common with that needed to
develop an effective organization. This development process can be assisted by the use of a
learning process within an organization to promote a dynamic progressive culture of safety.
Safety culture has to be inherent in the thoughts and actions of all the individuals at every
level of the organization. The leadership from management is crucial.
FIG. 18. Illustration of safety culture [10].
For developing safety culture it is important to recognize that safety culture is about
people, their organization and interactions. Human aspects to consider cover behaviours and
attitudes of the people involved, this also includes perceptions formed from influences, past
experiences, peer pressures or cultural sources.
It is equally important to pay attention to the organizational structures, the
communications within and between the groupings and such aspects as organizational culture.
This means examining the rules, policies and decision-making levels. All organizations need
direction and the management style of those in charge directly affects the attitudes, behaviour
and motivations of those who have to carry out the work. It is management’s prime task to
gain the confidence and trust of the workers and to engender a sense of “ownership” in the
organization. This sense of owning or belonging has a very positive impact on motivation and
238
subsequently progressive promotion of safety values, attention to detail, questioning attitudes
and a vested interest in individual and organizational safety goals.
Every situation and organization is unique and influenced by the national culture. It is
necessary that the national culture is taken into account when assessing or attempting to
understand safety culture. Some societies have values and behaviours which differ markedly
from other areas of the world not only in the acceptable patterns of work but in managerial
style, authority levels and the degree of questioning attitude. All these aspects need to be
considered when developing a safety culture compatible with international norms but
incorporating national practices and cultures.
The characteristics of a good safety culture are listed in [25 and 26]. These should be
used as a checklist to compare the organization’s status and to develop appropriate conditions
as required.
An organization with a good safety culture relies on the close interdependence between
technical safety and organizational processes. Continuous learning and improvement
processes play a central role in the development and maintenance of a good safety culture.
It is apparent that nearly all organizations involved in nuclear activities have in
common a concern for safety and how to improve and maintain it. There is diversity among
organizations in their understanding of safety culture. This variation can be described by using
three stages each of which displays a different awareness of safety. The characteristics of each
stage, identified below, provide a measure for regulators and operators to be used as a basis
for self-diagnosis. The characteristics may also be used by both organizations to give direction
to the development of safety culture, by identifying the current position and the position
aspired to. It is, therefore, important for regulatory authorities to recognise at which stage its
licensees are.
6.1.1. Stage of safety culture — safety is solely based on rules and regulations
At this stage, the licensee sees safety as an external requirement and not as an aspect of
conduct that will help the organization to succeed. The external requirements are those of
national governments, regional authorities, or regulatory bodies. There is little awareness of
behavioural and attitudinal aspects of safety performance, and no willingness to consider such
issues. Safety is seen very much as a technical issue. Mere compliance with rules and
regulations is considered adequate.
For an organization that relies predominantly on rules, the following characteristics
may be observed:
Production is seen as all important;
Safety is viewed as a technical requirement;
Technical problems are not anticipated; the organization reacts to them as they occur;
Organizational problems are not resolved;
The decisions taken by departments and functions concentrate upon little more than the
need to comply with rules;
x The role of management is seen as endorsing the rules, pushing employees and expecting
results;
x
x
x
x
x
239
x There is little or no awareness of work or business processes;
x Communication and cooperation between departments and functions is poor;
x People are viewed as system components — they are defined and valued solely in terms of
what they do;
x There is an adversarial relationship between management and employees;
x People who make mistakes are simply blamed for their failure to comply with the rules;
x There is not much listening or learning inside or outside the organization which adopts a
defensive posture when criticised;
x Regulators, customers, suppliers and contractors are treated cautiously;
x People are rewarded for obedience and results, regardless of long-term consequences.
6.1.2. Stage of safety culture — good safety performance is an organizational goal
An organization at this stage has a management that perceives safety performance as
important even in the absence of regulatory pressure. Although there is growing awareness of
behavioural issues, this aspect is largely missing from safety management methods that
comprise technical and procedural solutions. Safety performance is dealt with, along with
other aspects of the business, in terms of targets or goals. The organization looks at the
reasons why safety performance reaches a plateau and is willing to seek the advice of other
organizations.
6.1.3. Stage of safety culture — safety performance can always be improved
An organization at this stage has adopted the idea of continuous improvement and
applied the concept to safety performance. There is a strong emphasis on communications,
training, management style, and improving efficiency and effectiveness. Everyone in the
organization can contribute. Some behaviours are seen within the organization which enable
improvements to take place and, on the other hand, there are behaviours which act as a barrier
to further improvement. Consequently, people also understand the impact of behavioural
issues on safety. The level of awareness of behavioural and attitudinal issues is high, and
measures are being taken to improve behaviour. Progress is made one step at a time and never
stops. The organization asks how it might help others.
For an organization that develops safety performance continuously, the following
characteristics may be observed:
x Safety and production are seen as inter-dependent;
x The organization begins to act strategically with a focus on the longer term as well as an
awareness of the present. It anticipates problems and deals with their causes before they
happen;
x Short term performance is measured and analysed so that changes can be made which
improve long-term performance;
x People recognise and state the need for collaboration among departments and functions.
They receive management support, recognition and the resources they need for
collaborative work;
x People are aware of work, or business processes in the company and help managers to
manage them;
240
x Decisions are made in the full knowledge of their safety impact on work, or business,
processes as well as on departments and functions. There is no conflict between safety and
production performance, so safety is not jeopardised in pursuit of production targets;
x People are respected and valued for their contribution;
x The relationship between management and employees is respectful and supportive;
x Almost all mistakes are viewed in terms of work process variability. The important thing
is to understand what has happened rather than find someone to blame. This understanding
is used to modify the process;
x The existence of conflict is recognised and dealt with by trying to find mutually beneficial
solutions;
x Management’s role is seen as coaching people to improve business performance;
x Learning from others both inside and outside the organization is valued. Time is made
available and devoted to adapting such knowledge to improve business performance;
x Collaborative relationships are developed between the organization and regulators,
suppliers, customers and contractors;
x Aware of the impact of cultural issues, and these are factors considered in key decisions;
x The organization rewards not just those who produce but also those who support the work
of others. Also, people are rewarded for improving processes as well as results.
The above characteristics describing each of the three stages of evolution could serve
as the basis for a survey to establish which stage an organization has reached.
The above descriptions of each of the three stages of evolution of safety culture are
clearly relevant to large organizations typically associated with major nuclear installations.
The majority of the characteristics are also relevant to smaller organizations or groups of
people involved in a wider range of nuclear activities such as industrial or medical
radiography, or the operation of research reactors. Large scale organizations present particular
challenges on ensuring that there are good communications and co-operation between the
various functions within the organization. Communications tend to be more direct in smaller
groups. The response to pressure from peers is likely to be quicker in small groups, but
partially countering this, is the potential influence that the culture of a professional institution
can have on individuals within these groups. Multi-cultural influences may thus be more
visible in smaller groups. In large organizations there is more likely to be a dominant
organizational culture. Pursuing the development of a good safety culture in a small group
may necessitate some attention to the status of safety culture in any professional institutions
affecting people in the group.
Irrespective of the size of the organization a pre-requisite for the development of a
good safety culture is the visible commitment of the person or persons responsible for leading
the organization or group.
The process for the development of safety culture can be assisted by the use of a
learning process within an organization. A person or organization learns by reflecting on what
they have experienced, formulating concepts and ideas for change while continuing existing
best practice. The implementation of such concepts and ideas is intended to improve
performance and, thereby, modify future experience. At an appropriate time this modified
experience can itself be reviewed and lessons learned and when additional ideas are
implemented, the cycle is repeated. Regulatory bodies need to promote the feedback of
241
experiences and the establishment of learning processes to update current thinking and
practices.
There are a wide range of practices that are of potential value in the practical
development of a progressive safety culture. Many practices are already identified in INSAG4 and some additional practices not specifically mentioned in INSAG-4 are already commonly
accepted as being of value in the development of an effective organization. A subset of
practices which are judged to be of particular relevance to the development of a safety culture
is described later in more detail.
The time scale required to progress through the various stages of development cannot
be predicted. Much will depend upon the circumstance of an individual organization and the
commitment and effort that it is prepared to devote to effect change. Historical experience to
date indicates that the time scale for change can be long but it should be recognised that many
of the organizational concepts that have provided a new perspective on the influence of
culture on safety, have only been conceived in recent years. Now that these concepts and
supporting principles are acknowledged internationally, and practical experience is being
shared, it may well be possible to progress through the stages more rapidly. However,
sufficient time must be taken in each stage to allow the benefits from changed practices to be
realised and to mature. People must be prepared for such change. Too many new initiatives in
a relatively short period of time can be organizationally destabilising. The important point to
note is that any organization interested in improving safety culture should start and not be
deterred by the fact that the process will be gradual.
6.1.4. General practices to develop organizational effectiveness
Within an organization safety culture is a subset of the wider organizational culture.
Many practices which are used internationally to improve organizational effectiveness can
contribute to developing improved safety. This section contains information on some of these
general practices.
Many organizations recognise the importance of ensuring that there is unity of purpose
among their employees, and that they are motivated to achieving the organizational goals.
These organizations also recognise that guidance should be given to employees on how they
should behave towards each other, and towards others external to the organization.
Openness, trust and two-way communication are keystones to establishing effective
organizations.
The concepts of vision, mission, goals and values are often used to achieve the above
desired requirements. Although normally used in a business planning context, these concepts
can also be usefully applied to promote safety improvement.
The individual concepts are briefly described below in the context of safety.
Vision
The vision describes in a few keywords the future aspirations of the organization, and
paints a picture of where the organization would like to be in future. The time scale for
achieving the vision will vary with each organization, but generally the time scale is several to
242
many years. A vision can be used to align the efforts and energies of employees. An example
of a safety related vision for an organization would be “to be regarded as the best safety
performer in its sector of industry.
The creation of the fundamental vision is the responsibility of top management but it is
essential that employees have an opportunity to learn and understand the driving force for the
vision so that they are committed to achieving it. There is a great responsibility on all
managers to communicate the vision to their workforce.
Mission
The mission briefly summarises in a few paragraphs what has to be done in order to
achieve the vision. It may refer to the organization’s intended relationship with employees and
external groups. It may also contain quantitative targets and can undergo change during the
time frame of the vision.
Goals
There will be a range of actions that have to be taken to achieve the mission. Each
action will have a specific goal. Each goal can be regarded as a focal point for an action plan
within the organization and serve as motivation for employees. An example of a safety related
goal is “to reduce the average radiation exposure of employees by 10% during the next year”.
Values
Values are those standards and principles which people in a group or locality might
share. values govern attitudes which show themselves in the behaviour of people towards each
other. In organizations values will be present implicitly. The aspirations of an organization for
how people should be treated, and how the people themselves want to be treated, may be
explicitly stated in values set by top management. These values have to be shared and must be
made known to all levels of the organization. They are considered inviolate. A value that
addresses safety is that “safety is never compromised”.
Process for developing and implementing a vision, mission, goals and values
The real power of these concepts is less in the words created than in the process used to
create it. Employee involvement is essential, but there is a particular emphasis on top
managers and their subordinate managers to lead, communicate and seek input from their
workforce. These concepts have no benefit unless they are genuinely shared by the workforce.
Developing a safety related vision, mission, goals and values may be a good starting
point and a focal activity for initiating improvements in safety culture. Once the vision,
mission, goals and values have been developed, a strategic plan should be developed to
facilitate its implementation. This strategic plan should include policy, organizing, planning
and implementation, a means of measuring performance and review mechanisms,
supplemented by appropriate audits.
Coaching of employees by managers to improve safety performance is important.
There should be a process of continuous evolution of improved safety rather than satisfaction
with achieving safety targets. In Stage III, an organization will probably be moving toward the
243
development of these facilitation skills in all individuals who will serve in leadership
positions within the organization.
Experience has shown that organizations characterised as being very open to the
public, professional associations and the regulator as well as internally have gained in both
public confidence and in the successful management of safety. Confidence and trust can easily
be lost when secrecy and a tendency to cover up on failures is discovered. It will generally
take a long time before confidence and trust can be recovered. Openness is also a basic
requirement for the sharing of experiences, which in turn, provide a basis for an organization’s
ability to learn and improve over time.
Most successful organizations actively encourage teamwork among their employees. A
team is a group of people who are committed to work together to achieve some common
objectives. The combination of individuals in teams generally results in a more effective
solution to a problem or achieving an objective. This is particularly true when the problem is
of a complex nature and its solution requires the input of different disciplines.
Continuous evolution of improved safety performance
An organization needs to focus on continuous evolution. In other words no matter how
well the organization is currently performing, it always needs to be looking at how it might
perform better still. This includes looking at ways current systems and processes might be
improved, and also looking at how advantage can be taken of changing technology.
Continuous evolution is most effectively sustained by focusing on improvements generated by
employees. It is recognised that the design of a nuclear facility has to be frozen at some stage,
but this does not prevent evolution of future design standards.
The concept of employee empowerment can be misunderstood. It does not mean the
abdication of management accountability or uncontrolled and undirected employee
participation. The aim of empowerment is to provide employees at all levels, and in all parts
of the organization, with the skills, support and commitment required to maximise their
contribution to organizational performance. A commitment to the continuous evolution of
improved safety performance and the empowerment of employees to contribute to that
improvement can be a potent force in achieving sustained high levels of safety.
The involvement and commitment of senior management in pursuing high standards of
safety is essential. Without a visible and genuine demonstration of this commitment by
personal behaviour and leadership example by management, other workers in the organization
will not be convinced of the importance of safety compared to other organizational issues.
Words without deeds will create an illusion of safety that will result in the development of a
superficial safety culture.
To support the development of a good safety culture, senior managers can contribute
by:
x Gaining understanding of safety culture concepts and practices by undergoing appropriate
training;
x Demonstrating a leadership style that has an appropriate balance between caring and
controlling;
244
Being visibly interested in safety;
Having safety as a priority item on the agenda at meetings;
Encouraging employees to have a questioning attitude on safety issues;
Ensuring that safety is addressed in the strategic plans of their organization;
Having personal objectives for directly improving aspects of safety in their areas of
responsibility;
x Regularly reviewing the safety policy of the organization to ensure its adequacy for current
and anticipated circumstances;
x Monitoring safety trends to ensure that safety objectives are being achieved;
x Taking a genuine interest in safety improvements and giving recognition to those who
achieve them, and not restricting their interest to situations where there is a safety
problem.
x
x
x
x
x
Senior management should ensure that their organization has a safety management
system that provides a structured, systematic means of achieving and maintaining high
standards of safety performance.
The board of management of an organization which possesses the highest level of
executive authority should routinely discuss and review safety performance. A practice
adopted by some boards of management is to nominate one of their members to assume a
special responsibility on behalf of the board in monitoring safety performance and the
proactivity of line managers in implementing plans that include seeking improvements in
safety.
Development of a strong safety culture can result in more effective conduct of work
and a sense of accountability among managers and employees. They should be given the
opportunity to expand skills by training. Thus, the resources expended result in tangible
improvements in working practices and skills. This consideration should encourage further
development to improve safety culture.
In promoting an improved safety culture there have been different emphases, with
some countries favouring an approach giving a high profile to the use of behavioural sciences
while others have emphasised the quality management system approach to enhancing safety
performance. There is consensus that account should be taken of both national and
organizational culture in promoting an improved safety culture and an appropriate balance of
behavioural sciences and quality management systems approaches should be pursued.
Many of the features of a strong safety culture have for a long time been recognised as
good practices in many areas of safety activities, for example in the nuclear industry as well as
in other industries such as aviation. What has emerged in recent years is more emphasis on a
systematic approach to the development of an improved safety culture. There is an increasing
awareness of the contribution that human behavioural sciences can make to developing good
safety practices. Just as nuclear facility performance relies on the technical advice of
specialists, some aspects of safety and organizational performance can be improved by
seeking advice from experts in the behavioural sciences.
Safety culture is important in that it is an influence on behaviours, attitudes and values
which are important factors in achieving good safety performance. Organizations with mature
safety cultures focus more on the overall goals and key points rathers safety culture by setting
245
an example from their own organizational practices and by applying the principles of good
safety culture in their interactions with the operator. It is vital that the regulator understands
the safety culture factors necessary to supplement technical expertise.
The basic concept of safety culture has been presented in the INSAG-4 report safety
culture [10]. The approach to developing a safety culture has much in common with that
needed to develop an effective organization. This development process can be assisted by the
use of a learning process within an organization to promote a dynamic progressive culture of
safety. safety culture has to be inherent in the thoughts and actions of all the individuals at
every level of the organization. The leadership from management is crucial. Safety culture
applies also to conventional and personal safety, not only nuclear safety. All safety
considerations are affected by common points of belief, attitudes, behaviours and cultural
differences closely linked to a shared system of values and standards.
6.2. THE ROLE OF ASSESSMENT IN THE DEVELOPMENT OF SAFETY CULTURE
6.2.l. How to measure safety culture
No composite measure of safety culture exists. The multi-faceted nature of culture
makes it unlikely that such a measure will ever be found. Changes are usually slow and often
imperceptible. Nonetheless, historic experience demonstrates that over finite periods of time
cultural changes can be discerned, and the same should be true of safety culture. To assess
progress in the development of safety culture we may have to abandon the search for a single
composite measure and concentrate on identifying the range of indicators that reflect the
individual sub-components of culture. The basic range would comprise measures for
observable behaviour, conscious attitudes and perceptions or beliefs. In [25] it is discussed the
use of behavioural measures, attitudinal measures and perception or belief measures.
Behavioural observation and attitudinal surveys fit well for self-assessment in operating
organizations.
Detecting incipient weaknesses in safety culture is a tool that fits well for regulators
and their inspection programmes. There is often a delay between the development of
weaknesses in an organization’s safety culture and the occurrence of an event involving a
significant safety consequence. Alertness to the early warning signs allows remedial actions to
be taken in sufficient time to avoid adverse safety consequences.
Regulators have an obvious and legitimate interest in maintaining safety culture, and
whilst it may not be practicable and appropriate for them to prescribe a safety culture, they
have an important role to play in encouraging organizations to identify, understand and apply
positive steps to improving safety culture. Currently, most regulatory regimes are geared to
negative feedback; hence it is important to stress practices that develop strong safety culture.
However, it is important that regulators also be alert to incipient weaknesses in safety culture,
and therefore guidance on symptoms to look for when carrying out regulatory duties, are also
needed.
When safety culture first start to deteriorate, the most obvious early warning signs are
those associated with a significant accumulation of corrective actions that have not been
processed, together with a growing list of outstanding actions that also have high safety
significance. The nett result of this large amount of outstanding work is that the organization
doesn’t know quite how to deal with the ever-growing demands on its all-too-obviously finite
246
resources. As a consequence of these pressures, organizations start to become more rigid, less
outward-looking, less communicative internally, and they also appear much less interested in
learning valuable lessons, and applying relevant knowledge from other sources.
In this increasingly overloaded and under-resourced situation, organizational responses
to crises start to become highly ritualised. For example, there might be a constant refrain that
demonstrably defective procedures will somehow need to be re-written, that training must be
improved, and that operatives must take more care. However, in practice few, if any, effective
remedial measures are ever taken, and appropriate design and equipment modifications also
become stalled, simply because the organization has chosen to adopt, in the first instance, a
fire-fighting, and then finally, a siege mentality. In this situation, social loafing (leaving it to
others) and ultimately, learned hopelessness (ritualised recognition of the apparent futility of
an individual’s own actions) increasingly start to manifest themselves as individuals perceive
that their own particular efforts are unlikely to count for anything in the overall battle for
survival.
As the problem of countering the growing list of remedial actions becomes
increasingly acute, senior management find that they do not prioritise their actions effectively,
and as a result they start to attach and apportion blame to those individuals who appear to be
the source of their problems. In its extreme forms, such scapegoating behaviour can be
focused not only on those who are trying to prevent safety problem repetition and who wish to
learn the necessary lessons, but even on the immediate victims of safety deviations.
Some safety cultures can also start to deteriorate simply because managers come to
believe that safety performance is satisfactory, or else because its “champions” relax, become
complacent, move on, or simply drop their guard. However, in general, though not in every
case, most of the behaviours outlined above tend to occur as a direct consequence of highly
significant corporate change processes. Very often, social, political, or commercial pressures
can start to affect the ways in which utilities plan and operate, with the result that uncertainty
then becomes a way of life. In this climate, safety behaviour is not only not rewarded, but
sometimes can sometimes even be punished, with the result that business survival becomes an
even stronger influence on corporate behaviour than safe corporate behaviour.
The first early warning signs of deterioration need to be heeded because there is
difficulty in revitalising a successful safety culture. Even though the situation can, at times,
appear hopeless, there is every likelihood that early detection of the problem will lead to early
diagnosis and the application of effective remedial measures. For example, an “assisted blitz”
on outstanding corrective actions can very often lead to early feelings of management success
and a resumption of corporate control, with the result that those directly affected by the work
backlog can see that senior management is not only committed to stabilising the situation, but
that they are also prepared (at least in the short term) to prioritise safety over production
objectives; that they are leading from the front; and that they are taking “ownership” of the
problem. Regaining effective control of the safety mission, and applying appropriate remedies
at the earliest possible moment, therefore, is probably the most valuable investment that a
utility can make when faced with an apparently deteriorating safety culture. It is important that
regulators are aware of the early warning signs of a weakening safety culture so that remedial
actions can be taken to avoid adverse safety consequences. Currently, most regulatory regimes
are geared to negative feedback, but the ability of the regulator to encourage the operator to
identify, understand and take positive steps to improve Safety Culture is extremely important.
247
The following are features that regulators and operators should pay attention to when
inspecting and assessing the plant and other facilities. Some features are associated with the
information provided to the regulator by the operating organization, many are points to be
monitored by regular observation and which can be used to provide indicators to the level of
safety culture in an organization. They are not difficult to detect and relate directly to the
actual situation.
6.2.2. Organizational issues
Organizational support
Safety culture does not exist in isolation and is influenced by the prevailing
organizational climate or culture. It is important that the organizational culture be supportive
of safety, particularly in encouraging the appropriate behaviours, attitudes and values among
employees. Tangible evidence of a supportive organizational culture includes the following:
x Visible leadership and commitment of senior managers to achieving good safety
performance;
x Understanding by employees that safety performance is important to the future success of
their organization;
x Employee involvement in safety improvement activities;
x Effective communication of safety information including safety performance trends;
x Focus on learning from problems rather than allocating blame;
x Primary organizational goals include safety and are not focused on cost or financial targets
only;
x Adequate allocation of financial and other resources to the support of safety.
Evidence of the presence of the above attributes can be obtained by observation,
employee interview or questionnaire survey. Questionnaires should be designed with care to
ensure their consistency, reliability and validity. Table XVI collects common safety culture
components that are useful in safety culture assessments.
TABLE XVI. COMMON KEY SAFETY CULTURE COMPONENTS
x
x
x
x
x
x
x
x
x
x
x
x
248
Top management commitment to safety.
High priority of safety.
Strategic business importance of safety.
Frank and balanced relationship with the
regulators.
Proactive and long-term perspective.
Quality of documentation and procedures.
Sufficient and competent staff.
Clear roles and responsibilities.
Openness and communications.
Involvement of all employees.
Housekeeping.
Organization learning.
x
x
x
x
x
x
x
x
x
x
x
Visible leadership.
Systematic approach to safety.
Absence of safety versus production conflict.
Appropriate relationships with other external
organizations.
Management of change.
Compliance with regulations and procedures.
Proper resource allocation.
Team work.
Motivation and job satisfaction.
Good working conditions with regard to time
pressures, work load, stress.
Measurement of safety performance.
External environment pressure
Many organizations are subjected to increasing economic and business market
pressures that are forcing them to reduce significantly their cost base, often through downsizing of their workforce. In some regions of the world there has been major political and
social change that has impacted organizations both directly and indirectly. These changes
create uncertainty in organizations that inevitably affect the behaviour and attitude of people.
Organizational goals and priorities can change significantly and there is the potential for
safety standards and performance to be adversely affected. Attention should be paid by all
involved, either in the management or regulation of safety, to how change is being managed to
ensure that the principles of good safety are not being jeopardised.
Organizational insularity
Organizational insularity can cause safety culture to deteriorate simply because
managers come to believe that their safety performance is satisfactory and therefore become
complacent. Managers have no benchmarks or learning opportunities. Insularity can be
internal to an organization. Plants and facilities belonging to the same utility often create and
display very different and operational styles and identities. Whilst this can assist in promoting
a feeling of corporate identity, and individualism useful in building morale, it has undesirable
elements in its influence on safety culture.
Regulators need to review the organizational and operational aspects of each plant and
compare these aspects such as interaction with other plants, interchanges of staff and
information and collective problem solving. It is not a healthy sign to detect a lack of
communication and interaction and the regulator should be alert for signs of plants “not
talking to each other”. Small differences in style, approach or for local adjustment are
acceptable but the aim should be for a consistent and open attitude to prevail across all the
plants at a utility. It may not be immediately obvious to regulator or utility management that
such large differences exist, however, it is in both their interests to review and rectify any
shortcomings between sites or plants. It makes the regulator’s job easier to deal with a
standardized approach and it makes economic sense for utilities to function as a family and
profit from the ‘pooling’ of ideas and resources.
This is, therefore, an area that warrants further investigation by the regulators to
determine on a regular basis that an ‘open’ and interactive organizational style prevails
between the plants under their jurisdiction.
Openness
Open and honest communication between regulator and representatives of the
operating organization is essential if the former is to be able to assess and evaluate the safety
culture. Difficulties in obtaining information may be a sign that there is a weakness in the
safety culture. An organization striving to improve and develop its safety culture should be
willing to share its experience with others as well as using the experience to improve its own
safety. With deregulation and increased competition there may be a tendency to restrict
information on the grounds of commercial value. This should not be allowed to escalate and
undermine the openness of the relationship between the regulator and the organization. An
increase in requests for information to be treated as commercially confidential may be an early
249
sign that a barrier to mutually beneficial information exchange and opportunities for sharedlearning are being erected. This could ultimately degrade the safety culture.
This may also extend to the openness of the organization to participate in and
contribute to international exchanges and initiatives.
6.2.3. Regulatory issues
Corrective actions
The existence of an effective self-assessment, root cause analysis and corrective action
programme is a positive indication of a good safety culture. Measuring the number of open
corrective actions and the length of time for which the actions have been open is a good
indicator of general managerial effectiveness in planning and organizing work, allocating
priorities and monitoring the progress of implementation. This is particularly important when
the corrective actions are safety related.
Many organizations maintain databases of corrective actions and construct an index to
indicate the status of corrective actions. An example is provided here of one possible index
which takes account of both the number of corrective actions and time open.
Patterns of problems
Part of the ongoing monitoring of compliance and plant status checks normally carried
out by the regulator is the collection of information from varied sources. By arranging this
information in pre-determined categories it is possible to create a profile or pattern of similar
situations from which preliminary conclusions can be drawn. The range of categories is
dependent on the system available for information to be reported and analyzed, however, it
should be comparatively simple to create a list of safety culture attributes based on, for
instance INSAG-4, against which reported or observed occurrences can be recorded. Such a
collection can then be arranged into areas of recurrence or patterns of problem areas with
which to commence further investigations into the causes.
Repetition of problems usually indicates that the root cause was not identified correctly
and that whatever corrective action may have been implemented was not adequate.
Information can be collected from formal or informal sources and where possible should be
corroborated or cross-checked to validate its accuracy.
This data collection and analysis method can be used to produce trended information to
indicate levels of reported performance by sections, groups or departments of the plant. Whilst
they are not true indicators of performance trends are guides that can alert the regulator to
areas of concern based on actual plant sourced information.
Procedural inadequacies
Documentation is the lifeblood of an organization and regulatory requirements demand
that it be acceptable in quality and content. It is also required that safety documentation be
complied with and, therefore, it must be up to date and reflect the actual situation. Normal
quality assurance audits and checks should cover these requirements, however, these are
usually not performed often enough to monitor the day to day status of review and revision.
250
An important element of safety culture is that employees will have confidence in
procedures and use them correctly. However, it is essential that the regulator has an indication
of the situation pertaining to regular documentation reviews and that any deteriorating
situation is detected at an early stage. Failure to detect and rectify non-standard situations
regarding procedures, etc. will lead to plant employees ignoring instructions, losing
confidence in documented requirements and probably taking unilateral and unsafe actions.
The slippage of review dates and revision issues is a strong contributor to poor safety culture
and can also indicate weaknesses in other areas such as management, configuration control,
resourcing and safety decision-making. It also influences morale, as the employees often
perceive that if the documentation is neglected then other areas of concern are suffering as
well.
Regulators should, therefore, monitor on a frequent basis not only the quality of
presentation, format and availability of documentation but also insist on a list of review dates,
current status and delays. This list can then be checked on-site with random inspections of
procedures, etc. to verify what has been revised and whether the reporting and review system
is working. A large number of documents that have exceeded their review dates indicates a
significant weakness in documentation management and requires urgent regulatory
intervention.
Quality of analysis of problems and changes
Regulators have to be sure that any analysis carried out at the plant follows a
systematic, auditable system that will ensure the correct methods are used, that validation is
performed and that the correct solutions are defined. Too often the process is circumvented
due to inadequate identification of the problem, lack of resources and knowledge or time
constraints and these can lead to inappropriate actions being taken.
In the case of plant modifications the regulator usually demands a safety justification to
be presented prior to approval and this should be drawn up in accordance with pre-determined
requirements set out by the regulator. Typically, these should include the philosophy,
statement of problem, proposed courses of action, justification and independent review by the
utility. A root cause analysis has to be undertaken to ensure that the real cause of the problem
is identified and evidence of the adequacy of this can be readily checked by the regulator
through monitoring the re-occurrence of similar problems.
The establishment of a review and analysis group at the utility with the correct level of
experience and qualifications will add confidence to the analysis process, however it is
important that the regulator checks regularly that this group remains in place. Training and
demonstration of root cause analysis should also be demanded by the regulator with regular
checks on the composition of the group and random examination of the root cause analysis
carried out by the group to monitor accuracy.
It may also be possible at multi-site utilities for the regulator to cross check
submissions from plants on the same or similar submissions to identify any anomalies which
may indicate a serious mismatch in review and analysis techniques.
In all cases the emphasis must be on systematic and conservative assumptions that can
be related to risk and the accepted safety criteria. The fundamental principles of safety culture
namely, prudent and rigorous approach, questioning attitude and communications underpin
251
the need for all safety case submissions and root cause analyses to be carried out with due
regard for the possible consequences.
Whereas sufficient attention may be devoted to technical plant modifications, the same
is not always true for changes in organizational systems. Yet it is the latter that may have very
serious consequences for the ability of the organization to develop a sound safety culture.
High quality in analysis usually also requires an integrated approach i.e. to have a
broader view of safety and recognising the need for integrated analyses with the involvement
of different specialists. In order to be more proactive the analyses performed also need to
include a long-term perspective.
Lack and failure of independent nuclear safety reviews
For all nuclear safety-significant proposals and modifications, independent nuclear
safety assessments, should be undertaken by persons other than those who have undertaken
the original work. In a healthy safety culture, these assessments will always have been fully
documented, and checked for methodological, calculation and technical accuracy and validity,
using approved procedures. As well as providing evidence that a safety culture is continuing
to produce documentation to an approved regulatory standard, regulators and licensees will
wish to satisfy themselves that there is continuing commitment to the production of high
quality independent safety documentation, that all necessary checks are being made on a
regular basis, that assessments are consistent with the level of change being contemplated, and
that reviewers are fully conversant with the implications of the proposals, in addition to any
provisions that might be necessary to provide assurance that the proposals will work in
practice.
Reality mismatch
A well-developed safety culture will always be consistent with the nature of the safety
case and the state of the plant. What this means in practice is that the plant state and
configuration will always match the assertions of the safety case, and the plant condition will
always support and enhance the requirements of the safety case. In other words, the plant
state, configuration and condition must, at all times, be fully consistent with the claims that
are being made in the safety case and that likewise the claims that are required in support of
the safety case must never make demands on plant or personnel which are unrealistic or
unreasonable. A well-developed safety culture will prompt plant management to make such
consistency checks for themselves, whereas a less-well developed safety culture will usually
result in regulators’ having to insist that such checks are made. Suitable checks can be made
on a room-by-room, system by system or function by function basis, as appropriate to the
claims made in the safety case. Which ever means are used, it is essential that the provisions
of the safety case are at all times fully reflected in the reality of the plant and personnel
characteristics, and if licensees are seen to be inattentive to such matters, regulators may have
to make such checks themselves. If this were to become necessary, it would be indicative of at
least three basic shortcomings in the licensees’ safety culture. First, the regulator would have
to be concerned that the licensee was not making the necessary cross-checks, and that,
amongst other things, this could indicate a lack of commitment. Secondly, such inattention
would be indicative of the fact that communication and co-operation within an operating
organization were not properly developed. Thirdly, such a situation would not only place an
252
undue burden upon a regulator, but it would tend to indicate that the licensee did not possess a
learning culture, which would then be a major concern.
Violations
Non-compliance (violations) tend to be recorded by most licensees to varying degrees,
in relation to breaches of operating rules and operating instructions. Such reports can be of
variable quality and detail but almost all will be notifiable to the relevant regulatory bodies.
Not only do violations provide a rich insight into the operational performance and compliance
characteristics of any organization, and a fertile ground for investigation into general and
specific problem areas, but they also serve to indicate whether a licensee is radically different
to others operating similar plant. Whilst recognising that there will, of necessity, be some
important differences between the reporting levels and criteria that must apply as between
nations, it is possible, nevertheless, for a licensee to benchmark itself in relation to others in a
similar class, e.g. those operating similar plant or similar age. Such benchmarking can provide
valuable insight into the relative success with which a licensee is managing its affairs, and is
indicative of the extent to which its safety culture is keeping up with the evolution of other
comparable organizations. For example, if a licensee had plant that was broadly similar in
design, age and operating regime to another licensee’s installations, and which, even after
allowing for reporting level differences, experienced a disproportionately high incidence of
non-compliance as compared to its counterparts elsewhere, this would be a matter for
investigation by both licensee and regulator. As a minimum, such an investigation would need
to account for the apparent differences between apparently comparable installations. This
would indicate, first of all, the presence of a learning culture, and therefore a potentially
strong safety culture at work. In addition, it would provide the basic raw material for the
necessary corrective actions that one would expect to flow from such an investigation, thereby
satisfying the requirement of continuous improvement and a desire to remain at the fore front
of the nuclear community.
Repeated requests for dispensation to regulatory requirements
Requests for dispensations to existing regulatory requirements can occur, particularly
prior to restart after a planned outage. When requests are frequent this should trigger a review
of the adequacy of the regulatory requirement, or of whether production priorities are being
over-emphasised at a possible disadvantage to safety. The latter would be a sign of a
weakening safety culture. When requests for dispensations are made at the last minute the
regulator is placed in the unenviable position of having to prevent production restarting, with
the associated economic consequences; instead of the focus being on the inadequate planning
and work implementation by the organization. The latter are signs of weaknesses in the
organizational culture that clearly have consequences for safety.
6.2.4. Employee issues
Excessive hours of work
A significant factor in the degradation of personal performance is fatigue. Safety
culture relies on optimum output in the areas of attention, questioning attitude, diligence and
fitness for duty, however, all these are adversely affected when a person is tired and stressed.
Working hours must be formulated and regulated to allow individuals to perform their allotted
duties within reasonable time scales without imposing undue pressures which can induce
253
unsafe and undesirable consequences. Transition from normal to additional working hours is
an accepted part of industrial life, however, excessive and sustained overtime work can lead to
safety problems and is unfortunately all to frequently sought by the worker. Regulators can
check the hours worked by staff, either permanent or contractors, to monitor the acceptability
of overtime and to identify cases of excessive or sustained attendance hours.
Many incidents have included the influence of overtired and stressed individuals as a
contributing cause and this is one area that needs to be identified and analysed by the regulator
as a category in occurrence trending. Persistent abuse of overtime and the continued re use of
staff on call-outs or replacement work would indicate to the regulator that resource levels and
planning of work require investigation. The potential for excessive working hours is
particularly acute in outage periods and when combined with the attendant pressures of
meeting deadlines and the physical stresses often experienced under outage conditions can
lead to a serious degradation of safety culture.
Number of persons not completing adequate training
Training plays an integral role in the safety culture of an organization and the regulator
would want to be assured that adequate attention was being paid to the quality and
applicability of training programmes. These aspects are checked by submission, examination
and acceptance of the training required by the regulator, however, the attendance and
performance of staff at training sessions needs ongoing attention. Regular checks on the status
of training hours and the results of training testing are easy to undertake and when added to
the profiles obtained from analysing other safety culture areas can provide additional
indication of the commitment level of staff and management. When this information is
correlated with the results of occurrence analysis, particularly, if groups or departments are
highlighted it provides supporting evidence to the regulator that further investigation and
targeted corrective action may be needed in the area of training.
Failure to use suitably qualified and experienced persons
All nuclear plant operations should employ suitably qualified and experienced persons.
Whilst this is a basic requirement, and even a licence condition for many operating regimes, it
is apparent that it cannot always be achieved in practice. Such failure tends to show itself in
those incident and accident event reports that conclude that further training/retraining etc. of
personnel is required. Suitably qualified and experienced persons can be readily identified and
recruited, however, by careful attention to the needs of a given job. This proactive approach
includes identification of the principal duties and responsibilities of the job holder, the
attributes required for the tasks to be performed and the preparation of a profile outlining the
characteristics that would be required of any job incumbent in order to carry out the duties
effectively. Poor safety cultures would tend not have job profiles available, nor would they
make the necessary attributes explicit, whereas good safety cultures would not only have all
the basic systems in place, but they would seek to use incident feedback, amongst other things
to identify any personnel deficiencies, and incorporate any such identified features into their
selection and recruitment procedures for future application, as appropriate. The presence of
unsuitable and inexperienced personnel becomes readily apparent when checks are made
regarding knowledge and experience requirements against the basic skill, knowledge and task
capability that is available within a workforce. Such checks can be made by means of skills
and job task analysis.
254
Understanding of job descriptions
Typically in poor safety cultures, some individuals are not fully aware of the full
requirements, responsibilities and accountabilities of their job. This can arise either because
job descriptions have not been properly prepared in the first instance, or else because
individuals have not been properly briefed on the expectations of their employer. In either
case, it will be apparent that there is the potential for a significant mismatch between the
expectations of the employer and the employee. In order to check that this is not a safety
culture concern, the licensee should produce the necessary safety components of the relevant
job descriptions. The regulator should then require evidence that there is a one to one
correspondence between the job holders’ understanding of their respective job responsibilities,
and the licensee should be able to produce evidence that the job holders actually understand
the requirements of their jobs as defined by the licensee. In the first instance, such
confirmation could take the form of a simple written affirmation that the jobholder has
received, agreed and understood the job description, and that the licensee is confident that the
job holder understands the job description and the general requirements. This would probably
need to be followed up by way of further confirmatory checks, however, such that, wherever
possible, key job holders would be asked to outline their jobs, and indicate their competence,
skills, knowledge, background and experience, which would all be evaluated against the job
descriptions that had been prepared. Where necessary, further checks would then be made at
the discretion of the regulator, by seeking confirmation of the suitability of both job
descriptions and job holders as evaluated by additional external agencies, such as the
operators of similar plant and/or recruitment/training specialists.
Contractors
An emerging trend in plant maintenance and support is the increased employment of
contractors to replace traditionally plant based personnel. Whilst this has financial benefits for
the Utility it often comes at the expense of safety, either directly as a result of lower contractor
standards or the indirect effects on permanent plant employees.
Control and direction of contractor employees can often fall short of that expected
from permanent plant employees. Regulators can monitor this situation by regular checks on
contractor behaviour, analysis of reported occurrences of contractor performance, on-site
inspection and review of contractor records.
Trending and analysis of occurrences or problems may reveal contractor involvement
and shortcomings, however, the regulator needs to be aware at an early stage of the utility’s
intention to utilise contractors. Examination of the contract specifications and conditions prior
to contract award may allow the regulator to determine the adequacy of safety, supervisory
and training provisions and require appropriate amendments. One of the problems associated
with contractor usage is the effect on regular employees who may feel threatened, insecure or
resentful all of which may have adverse impacts on their safety performance.
However, any changes to contractor policy or adverse performance attributable to
contractor involvement needs to be identified by the regulator so that any remedial action can
be taken swiftly.
255
6.2.5. Plant conditions and trending
Plant conditions provide a useful and valuable insight into the general health of an
organization’s safety culture. It has long been recognised that poor housekeeping standards are
an indicator of behaviour and attitudes that are not likely to be conducive to the development
of a sound safety culture. Other indications are lack of attention to alarms or repair of
malfunctioning equipment; overdue maintenance work or poor information recording and
archiving systems. These deficiencies are prevalent when there is inadequate managerial and
supervisory attention to safety matters, and often reflect the absence of an effective selfassessment and self-inspection regime. Such deficiencies damage the credibility of any
claimed organizational commitment to safety.
Collecting data from occurrence reports in categories of human factors allows safety
culture to be displayed in various formats for simple presentation. The attached examples
show “ERROR” categories of “Omission” — where the worker did not carry out an action and
caused an error, and “COMMISSION”, where the worker physically committed an action that
caused the error. These proportions can indicate training, complacency and even attitude
problems that if analyzed further by root cause analysis or questioning can pinpoint
weaknesses in the system.
Behaviour Type information is displayed in percentages to indicate the captured data
by categories communication, cognitive, perception and motor. These headings are selfexplanatory and can also indicate areas for improvement if their trend is increasing.
Further analyses by department, group and error groups will allow individuals and
teams within the organization to focus on specific aspects that may require corrective action or
perhaps a pat on the back for work well done!
It should be noted that whatever the category or type of data selected it must be based
on fact, be easy to collect and indicate areas of direct interest to the persons involved. This
type of feedback is particularly useful in the promotion of safety culture principles and when
drawn from a specific activity period such as an outage it can be used to illustrate how the
workforce behaved and which problems need to be addressed in the future.
6.3. ILLUSTRATION THROUGH NATIONAL EXAMPLES
6.3.1. Risk-informed, performance-based regulation in the USA
This Section discusses the new process in the USA for reactor oversight and assessment,
emphasizing its procedural — rather than technical — aspects. More detailed technical
material relating to the process is available through the NRC’s Website (www.nrc.gov). The
new risk-informed/performance-based (RI/PB) process is a major departure from the way
NRC conducted its reactor oversight process in the past. However, it should be emphasized, at
the outset, that NRC is not abandoning regulatory tools that have proved their usefulness over
time. Rather, the new system is an attempt to add some new dimensions to make the oversight
process more efficient, economical and effective. In this regard, terminology is important. The
Commission has specifically used the term “risk-informed” to make clear that the new system
has not discarded “deterministic” techniques to become entirely “risk-based”. The new
program does make broader use of probabilistic safety analysis as a powerful regulatory tool.
But the PSA approach represents only one element in the regulatory arsenal. “Performance” is
256
another key element that NRC assesses through wide range of techniques, including
inspections and industry self- reporting.
Prior to adoption of the RI/PB system, the NRC’s approach was represented — correctly
or incorrectly — as one of the most prescriptive of almost any other national nuclear
regulatory body. By prescriptive, critics were referring to an emphasis on compliance with
detailed rules, and enforcement through intensive agency inspections. NRC’s earlier system
reflected the long history of nuclear regulation in the USA. It was implemented through a
process called the systematic assessment of licensee performance (SALP). The SALP process
involved public meetings between the NRC and licensees to review plants that had received
good scores or bad scores in the inspection and assessment process. This resulted in
considerable tension between operators and regulators, with increasing complaints about the
costs and burdens of regulation.
NRC decided to make some far-reaching changes in its oversight process for a variety of
reasons. One factor was the maturing nature of the nuclear industry and nuclear technology.
Since the Three Mile Island accident in 1979, the US industry had achieved substantial
improvements in plant performance, including in safety-related areas. Many in the industry
and Congress felt that the NRC had failed to give sufficient recognition to these
improvements. They argued that the Commission’s continued intensive inspection effort was
too intrusive and expensive for a highly competitive industry that had implemented effective
safety programs on its own initiative.
Also, in recent years NRC had developed improved regulatory tools. These tools
included: substantially more sophisticated PSA (probabilistic safety analysis) techniques
through advanced computer modelling; the evolution of safety codes and guides; new and
improved inspection techniques; advances in non-destructive testing; and revolutionary
developments in information technology and communications that enabled information to be
acquired, processed and transmitted much faster and less intrusively.
Political and economic factors also influenced the regulatory environment. For
example, the restructuring and de-regulation of the electric utility industry in some parts of the
USA created pressures to reduce regulatory costs. Utility share-holders, industry
representatives, interest groups and the Congress all reflected the opinion that the NRC’s
regulatory effort was not making the best use of resources in enhancing safety. Internal factors
at the NRC also played a part, as the Commission faced budget reductions and staffing
constraints. Along with a major reorganization along the lines of a business model, the
Commission felt it needed to make some major changes to its oversight process.
6.3.1.1. Objectives of risk-informed, performance-based system
What does the NRC seek to accomplish with its new system? The main objectives of the
new system include:
x Taking advantage of risk insights through PSA and computer modeling of reactor systems;
x Rewarding good performance by reducing regulator attention in areas that do not warrant
it;
x Focusing attention on poor performers;
x Focusing attention on areas where risks are potentially greatest;
257
x Reducing unnecessary regulatory burdens on nuclear operators;
x Increasing predictability and consistency of regulatory oversight;
x Making more efficient use of regulatory resources.
The RI/PB approach has other advantages that are expected to make it an effective tool
for enhancing safety. Because of its simplicity, visual character and organizational clarity it
can help bridge the gap between nuclear technicians and persons interested in nuclear safety
who lack a technical background. For example, the new system can help educate new utility
executives and managers that lack experience in the nuclear business about safety-related
issues. It should enable safety managers to communicate effectively to higher management
about the status of plants and to focus their attention on issues needing attention and
resources.
The approach should also be an effective mechanism for informing the public about the
overall situation at nuclear plants. As will be further discussed, the RI/PB system involves a
colour-coding of various performance indicators deemed relevant for nuclear installations.
This will enable anybody with computer access to the world-wide web to rapidly and directly
view a simple, graphic assessment of a nuclear plant in their vicinity (or anywhere in the
country). For plants showing positive assessments, this open access should contribute to
public confidence by clearly demonstrating regulatory attention to safety matters. For those
with less-satisfactory assessments, the new approach could generate public or share-holder
pressure on a utility to resolve areas of high risk or poor performance.
Structure of the risk-informed, performance-based system
The overall structure of the new assessment program covers three strategic performance
areas: reactor safety, radiation safety and safeguards.
Under these three strategic areas, are seven fundamental elements designated as
cornerstones. In architecture, a cornerstone is a foundation stone that supports the rest of an
edifice. The Oxford dictionary also defines it as an indispensable part, or basis. The seven
cornerstones consist of the following:
I.
II.
III.
IV.
V.
VI.
VII.
Initiating events.
Mitigating systems.
Integrity of barriers to the release of radioactivity.
Emergency preparedness.
Occupational radiation safety.
Public radiation safety.
Physical protection.
Under these seven corner stones sixteen performance indicators have been identified.
These are the detailed areas in which NRC will conduct a plant assessment, using riskinformed techniques as well as the deterministic approaches that have always characterized
the regulatory process. (See Table XVII).
258
6.3.1.3. Colour-coded assessment indicators
The NRC has also identified three so-called “cross-cutting” elements that apply to all of
the corner stones and performance indicators, and will be assessed for all other elements.
These are:
x Human performance.
x Management attention to safety and workers’ ability to raise safety issues.
x Finding and fixing problems.
Having defined these cornerstones, performance indicators and cross-cutting elements, it
is important to understand how the NRC uses them in the concrete process of reactor
oversight. The NRC wanted a clear and simple way to indicate levels of performance. That
could have been done through a numerical system or an academic-style letter grading system
(A = excellent; F = failure). However, the NRC decided to utilize an approach that resembles
a motor vehicle traffic control system. This approach uses colour-coded designations to give
visual clarity to its assessments. Colour-coding allows the NRC to graphically present the
status of plant performance on a single sheet of paper, providing a dramatic and — for the
public — a very understandable indication of safety performance.
TABLE XVII. ELEMENTS OF NRC’s NEW OVERSIGHT PROCESS
Cornerstone I — Initiating events
1.
Unplanned reactor shut downs both automatic and manual.
2.
Lost of normal reactor cooling system following an unplanned shut down.
3.
Unplanned events that result in significant changes in reactor power.
Cornerstone II — Mitigating systems
4. Safety system not available--specific emergency core cooling system and emergency
electric power systems.
5.
Safety systems failures.
Cornerstone III — Integrity barriers to the release of radioactivity:
6.
Fuel cladding (measured by radioactivity in reactor cooling system).
7.
Reactor coolant leak rate.
Cornerstone IV — Emergency preparedness
8.
Emergency response organization drill performance.
9.
Readiness of emergency response organization.
10. Availability of notification system for area residents.
Cornerstone V — Occupational radiation safety
11. Compliance with regulations controlling access to radiation areas in plant.
12. Uncontrolled radiation exposure to workers greater than 10 per cent of regulatory limit
Cornerstone VI — Public radiation safety
13. Effluent releases requiring reporting under NRC regulations and license conditions.
Cornerstone VII — Physical protection
14. Security system equipment availability.
15. Personnel screening program performance.
16. Employee fitness-for-duty programme effectiveness.
259
How are the colour-coded assessments to be interpreted?
Green means that all of the seven cornerstone objectives have been met and that there is no
significant deviation from expected performance.
White indicates that there are certain areas in the cornerstone that are outside the bounds of
expected performance on specific performance indicators. Overall cornerstone objectives
continue to be met and, most importantly, deficiencies identified have a very small effect on
accident risk.
Yellow indicates that the cornerstone’s objectives are met, with minimal reduction in the
safety margin. However, performance changes can have a small effect on reactor accident risk.
Red is the lowest of the level, and indicates that plant performance is significantly outside the
design basis. Significant reductions in safety margins have occurred and continued operation
may be unable to provide assurance to the public health and safety.
6.3.1.4. NRC response plan under the new assessment system
Based upon the assessment of cornerstones and performance indicators, the NRC has
adopted a response plan indicating what regulatory action will be taken. The response plan is
based on five levels.
Level I — cornerstone objectives fully met
For a plant where all cornerstones are met and all of the inspections findings are green,
NRC will conduct only routine inspection activity, with NRC staff interaction with the utility.
The commission’s baseline inspection programme applicable to all licensed reactors will be
conducted, with an annual assessment at the public meeting, typically conducted in the area of
the plant.
Level II — cornerstone objectives fully met (no more than two white inputs in different
cornerstones)
This level shows somewhat deteriorated performance, but the objectives under all seven
cornerstones continue to be met. This level indicates acceptable performance, but with some
regulatory issues needing attention. The NRC response takes place at the regional level,
involving a public meeting with utility management. The utility is expected to take corrective
action to address the white areas in its performance assessment. NRC inspectors follow-up to
ensure that the corrective action has been taken.
Level III — degraded cornerstone (two white inputs or one yellow or three white in any
cornerstone)
This level of assessment begins to be serious because one of the key cornerstones has
been degraded. The NRC response remains at the regional level, but in this case the
Commission’s senior regional management holds a public meeting with utility management.
The utility is also required to conduct a self-assessment with NRC participation. Additional
NRC inspections are focused on the causes of degraded performance.
260
Level IV — repeated or multiple degraded cornerstones (multiple yellow or red inputs)
This level signals serious safety-related issues at a plant. The NRC response is at the
agency, rather than regional, level. The Commission’s Executive Director for operations holds
a public meeting with senior utility management. The utility is required to develop a
performance improvement plan, with active NRC oversight. An NRC team inspection that is
set out to the facility covering all the areas of concern that focuses on the causes of degraded
performance. The commission may also take enforcement action by transmitting a demand for
information, by issuing a confirmatory action letter (formally recognizing steps taken by a
licensee), or by issuing an order directing the utility to take certain action.
Level V — unacceptable performance (overall red inputs with unacceptable reduction in safety
margin)
Under this level, NRC takes serious enforcement action at the agency level. The plant is
not permitted to operate and the Commission, itself, meets with the senior utility management
at agency headquarters in Washington. The Commission may issue an order to modify or to
suspend or revoke the utility’s operating license.
6.3.1.5. Implementation of the new assessment system
NRC began to develop the proposal for its new oversight process in 1999, with a pilot
project. The system was applied to 9 plants in the USA in a preliminary way. After six
months, this pilot programme was evaluated on the basis of comments from major
stakeholders, including licensees, interest groups and the commission’s own staff. In April
2000, NRC put the system into the preliminary effect for the entire USA nuclear industry. In
March 2001, the continued application of the system was confirmed by the Commission.
Implementing the system has required the NRC staff to integrate risk analysis
techniques with traditional deterministic approaches in a more extensive manner. Risk
analysis has been used to identify the sixteen performance indicators utilized in the new
system. Both risk analysis and traditional inspections are utilized to determine the level of
performance under each indicator. Assessment of each of the broad cornerstones typically
involves a mixture of technical, management and resource issues. The primary risk analysis
will be performed by the operator using either his own organization or technical assistance
organization. However, the NRC has a large staff that is capable of reviewing licensee risk
assessments in detail, based upon information provided by licensees, as well as independent
information available to the commission through its own research programme, or otherwise.
After completion of the analysis, the NRC is in a position to assign the colour-coded
assessment of performance to each cornerstone.
The new oversight process is an evolving approach. During the period of its early
implementation, the reaction from stakeholders has been positive. It is expected that the
programme will be adjusted on the basis of experience with applying the cornerstones and
performance indicators. Whether the system is continued in its present form or is significantly
modified will be determined on the basis of how well it continues to meet the objectives of
regulatory efficiency, effectiveness and economy that were the basis of its creation.
261
6.3.2. German safety culture experiences
The German nuclear industry has a broad experience in safety culture. Safety culture is
the collective commitment of an organization to high safety standards. In the following, some
features of safety culture are described and discussed.
Safety is the pivot in the public debate on nuclear energy. It is a prerequisite for its
future, as it was the centre of our endeavours for development in the past, from the very
beginning of nuclear electricity production. Looking back, three different approaches to
enhance safety are distinguished:
x From the start and in the phase of the commercial breakthrough of nuclear power plants,
the focus has been on technical solutions. The answer to any problem was better and more
sophisticated technique. Pursuing this strategy, we developed very reliable, but complex
machines. With increasing success, reliability and safety tended to approach a plateau, all
further improvements were more and more counterbalanced by added complexity.
x Then, human performance problems became the focus of attention. This brought about
significant improvements of the man-machine-interface, leading to a substantial lower
probability of a human being to err when performing his job in a NPP. But again, we
gradually seem to approach a limit that cannot be exceeded when following this strategy:
Increasingly more of the fixes of problems we establish, either simply do not hold for a
long time, or they just create another problem somewhere else.
x For further real improvements, we have to go beyond technical design and beyond the
performance of individuals and their interactions with components and technical systems.
We have to include into our reflections and endeavours also interactions between
individuals, collective social and organizational processes, and managerial policies and
practices. Psychologists speak e.g. of “supra-individual and self-regulating structures“
and of “behaviour settings“, in the nuclear industry, we created the term “safety culture”.
Safety culture is an integral part of the quality assurance programme. As safety itself,
safety culture is the irrevocable responsibility of an organization, which is operating a NPP
(self-regulation, no dilution of responsibilities). Within the organization, it is the management
that takes the overall responsibility for a high safety culture. It shapes the environment in
which people work, and thus influences their behaviour and attitudes to safety. Safety culture
comprises all the organization’s arrangements for safety.
6.3.2.1. Objectives of safety culture
The IAEA has defined safety culture as follows:
“Safety culture is that assembly of characteristics and attitudes in organizations and
individuals which establishes that, as an overriding priority, nuclear plant safety issues
receive the attention warranted by their significance”.
A shorter definition comes from the confederation of British industry:
“Safety culture is the way we look at things and the way we do things around here”.
262
An important factor of safety culture is that it is more than the sum of its parts, it is a
collective commitment to safety. Therefore, to gain a high safety culture, one must not focus
on1y on individua1s, but rather on the organization as a whole.
The general objective, to enhance safety culture, is too abstract to be operable. It can
be subdivided in 4 sub-objectives, which are more tangible:
High safety standard
To develop the safety standards of nuclear power plants as high as possible needs no
justification in this lecture. But it is important to make clear that high standards of safety have
to be achieved by both, the organization and individuals.
No conflict between safety, production, and costs
Safety should not be jeopardized in the pursuit of production targets. On a long-term
basis, only a safely operated plant can meet competitive goals. The top-management of a NPP
has to bear this in mind and to sharpen the awareness of sub-managers and staff for this
strategic view, and to ensure that the pressure of short-term optimisation does not override this
long-term recognition.
On the other hand, to be fair, an absolute priority of safety over costs can never be
reached, and on an ethical basis, it even would not be acceptable. As everything else, safety is
subject to the law of declining marginal utility. The higher the safety, the more money has to
be spent to gain only a small increase in safety. Above a certain limit, it is not justified to use
this money for that small advantage, when it could bring much higher benefits if used to
reduce other risks or even real harm.
But this triviality must not be abused to refuse a very high ranking of safety and to
reject any reasonable improvement in safety matters. Fortunately, this problem is reduced by
the simple fact that most measures to increase safety simultaneously also increase reliability
and very often reduce operating costs, for example improved planning and work control,
clearer accountabilities, reduced organizational interfaces, better communication and team
work, and so on. Improving safety culture, properly done, is largely identical with a more
effective management of works. Reasonably looked at, conflicting goals between safety
enhancement and cost reductions are rather rare events, and they can be decided upon in a
rational manner, giving safety the attention needed.
Good communication between, and co-operation of all units and levels
For complex tasks, which require teamwork, communication is one of the key factors
for effective and successful performance. Good communication brings about three essential
advantages:
x It is a good defence against misunderstandings;
x It helps to override hierarchical and departmental barriers; and
x It contributes to satisfactory working conditions, which on their side improve the
motivation of workers on all levels.
263
More effective conduct of work
Effective conduct of work is a prerequisite for competitiveness and for safety, and
simultaneously, it creates satisfaction with one‘s work, which again is the basis for
motivation.
6.3.2.2. Features of safety culture
A high safety culture ensures good safety performance through the planning, control,
supervision, and performance of all safety related activities. To fulfil this, the management of
a NPP should make an ongoing effort in the following 5 fields:
Definition of safety requirements
An organization should express its commitment to high safety performance in a clear
and unmistakable way, for example in a vision or mission statement defining safety
requirements. In addition, it should specify the responsibilities and activities required to
ensure safety and to satisfy legal, regulatory and company requirements, and it should provide
the resources (sufficient and competent staff, tools and equipment} necessary to achieve all
that. In a consistent framework, the management should define what needs to be done, to what
standard and by whom.
Senior managers should develop ownership and active support of the organization‘s
safety policy, and they should eagerly disseminate it throughout the whole organization. All
managers should understand their roles and responsibilities, and should ensure that all
individuals concerned are aware of and accept their safety responsibilities and have the
capability and the appropriate resources to discharge these responsibilities effectively.
Ensuring high safety standards in planning and control
The management of a NPP has to ensure that all safety related activities are properly
planned and controlled, including identification of risks to health and safety, selection of
procedures and precautions, and — if appropriate — arrangements to cater for emergencies. It
also has to determine work authorisation requirements on a systematically basis.
Ensuring high safety standards in work performance
To attain high safety standards in work performance, the management of a NPP has —
amongst others — to ensure that all staff have the competence required, and it has to provide
for effective communication and team support. The latter should help to understand and
accept safety arrangements, reduce error probability, improve feedback mechanisms, and
enhance satisfaction at work and thereby motivation for good performance.
Additionally, the management has to support good safety practices and to correct poor
practices. Presence of managers at the work place, appropriate awards and sanctions, and
encouraging the reporting of failures and “near misses” can help to obtain that goal.
Encouraging safety related attitudes and behaviour
Questioning attitude, rigorous and prudent approach, and good communication are the
characteristic features of a good safety culture. It is the task of the management to improve all
264
three of them, in order to obtain an ever-higher safety culture. The shaping of attitudes and
behaviour is a much more demanding task than the — equally necessary — task of improving
competence and skills of individuals. It is the real core of “improving safety culture”, and, in
spite of all doubts, it can be met successfully. We do perform this task in NPPs all over the
world, and we do have some success in our endeavours. But it is my personal impression that,
in a large number of cases, the success could be increased by applying a more systematic
approach, or with some outside assistance, for example by IAEA or WANO.
Improving feedback on safety performance
To facilitate an effective feedback system, safety performance must be measured
routinely. The measures should have the capability to highlight whether the safety
performance of the organization is being maintained or improved, and they should also allow
the underlying causes of any performance deficiency to be identified. This is essential, if
appropriate counter-measures are to be identified. Measuring the safety performance is both,
easy and delicate simultaneously.
After measures have been defined, audits and reviews should be performed on a
regular basis. They should cover all safety-related areas and should be carried out either
internally or through independent institutions on a peer basis. IAEA, WANO and INPO offer
corresponding services.
In response to findings in audits and reviews, appropriate corrective actions have to be
identified and implemented. The management has to ensure that this is done systematically
and that it includes an assessment of the effectiveness of the corrective actions after their
implementation.
6.3.2.3. Specific safety culture issues
Flexibility
The description of safety culture given above is neither complete nor generally
applicable. In any case, due allowance should be given for adjustments to different cultures in
different countries and in different companies. It is the overall effectiveness that counts, not
the specific composition.
Effectiveness
The management of a NPP sets the framework for all endeavours to enhance safety
culture. But it should be clearly pointed out that even the most perfect framework can never
substitute the commitment of the individuals concerned. A more perfect framework is a help
to reach the goal with a higher degree of probability, but it can never be a warranty. To
enhance safety culture, the right individual attitude of the senior managers is indispensable. If
the senior managers do not feel it necessary to improve the safety culture, no framework and
no system, however perfect, can be successful.
Another problem with perfect systems holds even for willing people: Whenever a
system is very perfect, people tend to perceive this system as a means that automatically
achieves the goal, without the need for strenuous individual effort; the system solves the
problem, not individual strain and engagement. This subjectively felt sense of relief from
individual challenge and responsibility is a common phenomenon in case of perfect systems
265
and also holds for safety culture. A good system is essential, a perfect system can create new
problems.
Finally, to reach a high effectiveness level, all employees, managers and staff, have to
accept the goal of high safety performance and to understand the processes and procedures the
organization has chosen to pursue that goal. They have to do what is right, because they know
what is right, not because it is required.
Sustainability
Humans tend to choose the easiest way, to forget things, to stop thinking, and to
transfer carefully considered procedures into automatically followed routines. Therefore,
safety culture is an inherently declining feature. If we do not continually strive to enhance it, it
gradually degrades. We constantly have to move forwards, ever standing still means stepping
backwards. The management of a NPP has to establish an ongoing learning process as part of
the safety culture, otherwise an established standard cannot be maintained.
Performance indicators
Monitoring the safety performance is a management responsibility. The use of
quantitative performance indicators has a lot of advantages (e.g. enabling trending, goal
setting and benchmarking with other plants), but care should be taken not to give them too
high a value in order to avoid misleading effects:
x For example, if reaching a low number of unplanned automatic scrams is valued very
highly, pressure could rise to adjust the set points for triggering the scram appropriately.
x Or, with regard to the collective dose, people could find themselves seduced to reduce
equipment tests, or they could welcome a reason for not performing inspections of the
workplace and work practices, and so on (this problem is independent of the more general
dispute on the appropriateness of this indicator due to substantial doubts regarding the
validity of the linear-no-threshold hypothesis, which is the base of the collective dose).
x As a last example, the number of significant events as a performance indicator could
increase tendencies to cover up or to play down the importance of the event.
Very probably, every indicator can exert negative influences, if it is valued too high.
So, performance indicators are useful and probably even necessary, but they should be used
with care and the management should clearly explain their limited importance.
Self-assessment
As already stated, safety culture tends to degrade with time. This problem is amplified
by the very nature of humans, which impedes early recognition of declining performance. First
signs and precursors are often denied or just regarded as isolated cases. This defence
mechanism is principally stronger when the information about negative signals comes from
outside institutions. The other way around, it is generally easier to accept unpleasant news, if
they are detected by one‘s self. Therefore, it is preferable for an organization to have an
internal or self-evaluation programme. This self-assessment generally can identify signs of
degradation earlier than an external audit or review. If detection is left to the latter (or even to
actually occurring events), the required corrective actions are often far more extensive and
266
expensive to implement. Of course, the critical self-assessment has to be complemented by
clearly prioritized action plans, which address the root causes and which are pursued
rigorously.
The self-assessment reinforces the responsibility of the operator. But, to avoid
complacency and professional blinkers, the self-evaluation programme should be supported by
periodic external peer reviews. The frequency of these external reviews can be much less than
that of the internal assessments, but from time to time an external check seems to be a sound
corrective.
Indivisibility
Safety is indivisible. Low standards in industrial safety or in housekeeping, a large
backlog in maintenance work, a poor archiving system, and all similar conditions, give clear
evidence of threats to nuclear safety.
Top is top, but only the number makes it work
The strong commitment of senior management is a prerequisite to establish and
maintain a high safety culture. But the strongest commitment from senior managers cannot
compensate for lack of support from the whole staff. Only if all employees (or at least most to
them) take ownership of a programme to enhance safety performance continually, a really
high standard can be reached. Senior managers can work as hard as they like, without support
of their staff they will never reach a high level of performance. The quality of individuals is
important, but the quantity of support decides the level which can be reached. The
management has to find the means to get real support from all employees.
Safety is the sum of 1001 nothings
There is no single big strike by which one can reach a high level of safety performance.
Rather, it is always a long and strenuous way with thousands of small steps, most of them
seem to be only of secondary importance, but they all contribute to the great goal, and none of
them can be left out without endangering the goal. It is the task of the management to make
sure that all small steps are taken seriously and are implemented properly.
Group behaviour
Group work is essential, but care has to be taken of special group effects. For example,
groups bring about a diffusion of responsibilities, and they tend to develop common opinions.
This undermines questioning attitudes and, together with the encouraging feeling of shared
judgement, it actually leads to a higher risk taking. The management of a NPP should be
aware of these psychological effects. Their principles and appropriate countermeasures should
be integrated into training programmes, and, very important, responsibilities should strictly be
assigned to individuals, not to groups.
A very effective measure to reduce negative group effects is that the leader speaks last.
This brings about at least 4 essential advantages:
1. Group members are encouraged to tell their true and independent opinion, and not just
repeat what the leader has said;
267
2. This increases the motivation and creativity of the group members, and it reduces the
danger of self-consolidating opinions by frequent repetitions;
3. It enables the leader a better assessment of the quality of his subordinates;
4. And finally, it gives the leader the chance to recheck his beforehand built opinion before
speaking it out loudly, thus reducing the probability of looking like a fool.
Error management
How an organization deals with errors has a key influence on how well it can obtain a
high safety culture. Three features are essential, and the management of a NPP has to ensure
that they are established firmly in the organization:
x First, errors should be regarded as a chance for learning, instead as a reason for punishing.
Errors should be pulled out of the taboo corner and discussed openly. The better the
communication on errors, the higher the safety performance (and the commercial
performance!) of an organization. Never ask who made an error?, but always why did this
error occur? But be careful to keep the balance: Even when people should not be punished
for errors, they still must be held responsible for the errors they make or might make;
x Second, the goal of preventing errors should be complemented by the goal of managing
errors that is handling the consequences of an error effectively. Since errors can never be
avoided completely, we have to learn to cope with them;
x And finally, we should keep in mind that any individual error is necessarily embedded in
organizational processes, the subject the management has to take care of. It are these
processes, which determine largely the probability of errors.
Wrap things up
Errors, weaknesses and areas for improvement are often known for substantial times,
but countermeasures taken — if any — just alleviate the problem enough to carry on operation
and do not really address the root causes, or they are simply not followed rigorously until the
problem is really solved. Recurring events, continued improvising, and unacceptable high
numbers of unresolved problems with overall reduced safety margins are the consequences.
The management of a NPP has to establish and reinforce procedures that ensure timely,
complete and sustainable solutions to all problems arising.
Training
Training has to be viewed as an investment, not a cost. The management of a NPP has
to make sure that training needs are identified for each job profile and each individual, and
that training is performed at high quality. A good means is to use staff members as trainers,
because teaching/mentoring/coaching is the best learning, but that must not compromise the
quality of the training sessions. The training should include learning from failures and
learning from successes and from good practices. Success is a strong basis for motivation, and
failures seem to be necessary to recognise the right direction.
6.3.2.4. Closing remark
The key factor for achieving high safety performance is the same as that for achieving
success in competition: Good leadership.
268
6.3.3. Interface of regulator and operator — Finnish experience
In Finland, the decision of the council of state on the general regulations for the safety
of nuclear power plants says in its Section 4: “When designing, constructing and operating a
nuclear power plant an advanced safety culture shall be maintained which is based on the
safety oriented attitude of the topmost management of the organization in question and on
motivation of the personnel responsible for work”. This pre-supposes well organized working
conditions and an open working atmosphere as well as the encouragement of alertness and
initiative in order to detect and eliminate factors which endanger safety.
6.3.3.1. Cornerstones of nuclear safety culture
In the following a few selected principles are discussed that have been emphasised in
Finland as essential cornerstones of nuclear safety culture. These principles relate to the
expectations with respect to the government, the regulatory organization, and the users of
nuclear energy (utilities).
Government
When a government makes a decision to use nuclear energy for power production, it
should recognise the consequent long-term commitments. Nuclear safety culture cannot be
established in an atmosphere of uncertainty, and therefore the government has to ensure
predictable and smooth evolution of the national nuclear energy programme. This involves:
x Specific legislation for use of nuclear energy;
x Education of the public on the benefits and the risks of nuclear energy;
x Commitments concerning safe nuclear waste disposal and liability for nuclear accidents;
and
x Continuous provision of adequate means for basic nuclear training, safety research,
regulation, and international co-operation.
The organizational framework for nuclear energy use and regulation has to be provided
in the nuclear energy legislation. For this purpose the legislation has to define:
x Duties, responsibilities, and rights of various players in the nuclear field;
x Procedures for licensing nuclear facilities with adequate participation of the general
public;
x Means of regulatory control: rule making, safety evaluations, and inspections.
Education of the public is necessary for removal of unfounded fear towards any
nuclear facilities which serve the national energy programme. Also, objective information on
benefits and risks is needed to permit all citizens to judge whether the use of nuclear energy is
in line with the overall good of society. Furthermore, education would facilitate proper
response of the public to a potential nuclear accident. The duty of producing educational
material should be assigned by the Government to a proper public organization.
Commitment to safe disposal of nuclear waste is inevitable at the national level even
though the users have a responsibility for the practical disposal measures. The government has
to provide regulatory requirements and the means to verify their fulfilment, in order to assure
269
itself that the disposal methods to be adopted are acceptable. The verification has to be
supported by a research programme which is independent from the research done by the users
of nuclear energy.
Liability for nuclear accidents cannot rely on individual companies alone because any
company has a de facto upper limit for its economic resources. On the other hand, no person
should be left without a fair compensation for his losses, should a major nuclear accident take
place. Therefore it is necessary for the government to commit itself to bear the liabilities not
covered by other means.
A certain amount of public funding and infrastructure is needed for any national nuclear energy programme. It may be well founded to collect some part of the funds from the
users of nuclear energy, but the main thing is that the government decides what is the proper
amount.
As concerns basic nuclear training, it should ensure a steady flow of graduated students
into the nuclear field. As long as nuclear energy is being used in a country, a most important
thing is a wide age distribution of engineers with nuclear knowledge.
A national research programme must be so broad that it covers all aspects relevant for
nuclear safety. It has to be noted that a research programme with an adequate depth employs a
number of experts dedicated to highly specialized fields, and their employment must be
ensured with funding which does not change sharply from year to year.
The regulatory organization requires a minimum size as well, to be able to cover all
technical disciplines relevant for nuclear safety. Funding of that organization should stay
stable unless there are major changes in the extent of the nuclear programme. This stable
amount of funds can with a good reason be collected from the users, and thus be included as
an essential element into the costs of nuclear energy.
International co-operation is needed to gain access to the state-of-the-art knowledge,
which is an essential condition for maintaining a high safety level. The provisions include
international agreements and other arrangements for co-operation, and funding of the regular
contacts.
Regulatory organization
The regulatory organizations are frequently seen as “watch dogs” who control their
“customers” on behalf of the general public. This is certainly one of their roles, but to see the
regulatory organization from such a perspective only may not be best for the development of
safety culture.
In the work of STUK-Radiation and Nuclear Safety Authority, it is strongly
emphasized that the users of nuclear energy bear full responsibility for safety, and therefore
true respect should be given to their views and proposals. An important duty of the regulators
is to support and foster good safety performance of the users.
270
A regulatory organization promoting good safety culture must develop and maintain:
x Logical and predictable behaviour;
x Frank and balanced relationship with the users of nuclear energy; and
x Knowledge on the state-of-the-art in the nuclear safety field.
Logical and predictable behaviour means a number of things. The regulatory staff
members must approach the technical issues in a consistent manner, and observe any
previously declared decisions by the regulatory body. The formal communications with the
users must be based on clearly defined and standardized procedures. This is not to
underestimate the importance of the fast informal contacts between the organizations, but a
formally recorded conclusion is needed whenever a position is taken on a regulatory issue.
The requirements and acceptance criteria should be known to the users before they start
planning respective issues. Any requirements set by the regulatory organization must be
supported with sound technical arguments, unless a fully applicable rule exists for taking a
regulatory position on the issue in question. Upgrading of requirements should be limited to
situations where new information has raised previously unknown concerns on the issue, or
new safety objectives have been adopted as a top level regulatory decision.
The first pre-requisite for a frank and balanced relationship with the users is that the
regulatory staff are able to discuss issues at the same technical level as the user
representatives. If there are different opinions between the regulatory and the user experts, the
regulators must be able to support their case on sound technical evidence. In a dispute, the
individual regulators must also provide without hesitation a possibility to submit their position
for consideration by their own supervisors.
When corrective measures are required, the regulators must provide realistic time
scales without undue pressure to the users. Exceptions are issues which cause a significant
increase of the previously estimated risk.
Availability of the regulatory staff, for making mandatory inspections whenever needed
by the users, is necessary for maintaining good working relationship with the users, and for
motivating top performance in them.
The regulatory organizations are natural focal points for building contacts with the
foreign organizations worldwide. Therefore they must possess expertise to collect and transfer
knowledge on the state-of-the-art in the nuclear field. As soon as new relevant information is
available to the regulatory body, it must distribute it also to the users. Information should be
transferred on:
x Domestic and foreign safety research;
x Domestic and foreign operating experience; and
x New safety regulations home and abroad.
Users of nuclear energy
All arrangements and measures by the users should reflect the fact that they bear the
ultimate responsibility for safety.
271
Striving for excellence, rather than the fulfilment of written rules, should be selfevident in any user organization. The users following this line set their own performance
standards for activities they find most important to ensure their own reliable and safe operations. Striving for excellence also means that the user has a steady investment programme.
Such a programme is needed to keep the material condition of the facility at least at the same
level it used to be after first start-up, and to improve reliability and safety. Another important
target for investments is training of the personnel.
An important part of the strive for excellence is detection and removal of safety
problems. This can only be done in an open atmosphere where all technical problems and
human errors can be reported without a fear of negative consequences to individuals or the
user organization in general.
As concerns the user staff, an issue requiring continuous attention is how to maintain
the spirit of private initiative and feel of personal responsibility beyond the statutory tasks of
each individual. An observation from the Finnish users is that all arrangements feeding
professional pride among the individual workers are important contributors in addressing this
issue.
Implementation of safety culture is not an action that could be started only by writing
some new instructions. Its roots are in the national culture and in the values of each
organization, and the evidence of it should be more or less visible in all daily activities of the
plant and its supporting organizations. In the following, a few concrete examples are
mentioned which clearly manifest safety cultural elements at the Finnish NPPs.
Atmosphere in all organizations is essentially created by the attitudes and practical
example provided by the top management. This fact is recognised by the management of both
Finnish nuclear utilities, and it is manifested through their direct involvement and keen
interest in matters concerning safety as well as quality assurance.
Finnish utilities have implemented a number of projects to maintain and improve the
knowledge and skills of their organization and individuals. These projects include
modernisation of the plants, continuous development of operating and maintenance practices
and tools, and PSA studies. In all of these projects the responsibility for key tasks has been
assigned to their own staff, as opposed to giving it to external consultants.
Modernization of the plant systems and replacement of components are carried out
observing the original design requirements, but also taking into account the upgraded new
safety criteria. Updating of plant specific documentation is an essential element of
modernisation work. Such projects keep the plant and the supporting organization staff
familiar with all relevant design requirements, and develop their professional skills and
general motivation. In parallel, knowledge on the current design basis is maintained.
Continuous and well-tailored re-training programmes for all personnel levels maintain
staff motivation, and also help to promote new ideas. The ability to use an up-to-date full
scope-training simulator at each plant is of great value. Safety culture has for several years
been a topic in induction training of new employees, in staff re-training, and in training given
to contractor personnel who work on site during outages. The importance of knowing,
understanding and following valid procedures is regularly emphasised in the training activities
and in other general communication.
272
The continuous assessment, development and updating of quality assurance manuals
and procedures is important in preserving the credibility of the QA-system. This system also
defines the organizational line responsibilities. Plant management calls together QA and
safety meetings and internal as well as independent audits of the QA-system performance are
carried out periodically. A well functioning QA-system is one of the basic cornerstones in
fostering safety culture in Finnish NPPs.
The utilities have established systematic methods to utilise operating experience from
their own plants as well as from other relevant sources through participation in proper
international organizations. In WWER-type plants, direct contacts with other similar plants
have been of special importance.
Well-planned and systematically organized maintenance is an essential element in
preserving the safety of the NPPs. This includes careful outage planning and a critical
assessment of components and phenomena that are life limiting.
General order and cleanliness have been important issues from the start of operation in
all Finnish plants. In recent years, success in this respect has been regularly assessed by each
plant management team. A performance index has been developed for this purpose, and good
results give a financial bonus to the employees.
Several measures are taken to promote the general positive atmosphere and motivation
of the personnel. Separate polls have been carried to show areas where development in the
organization’s or individual’s conduct is needed. Possible problem areas have also been
discussed in general meetings.
The exchange of general information and especially communication of planned plant
activities within the organization is important in maintaining a high motivation level among
the personnel and to give them an opportunity to make a positive contribution to developing
the processes.
Direct contacts between the technical personnel of the utilities and STUK are frequent,
and the importance of frank relations is emphasised by the management and well understood
by the personnel of both utilities.
6.3.3.2. Promoting safety culture
When promoting safety culture the concept of organizational culture should be
considered carefully. Organizational culture is based on the values of the organization and on
the practices based on these values. It is the responsibility of the management to see that the
organization has the right values. Especially in the safety critical organization, safety is the
most important value. In good organizational culture and in good safety culture, openness,
thrust and two-way communication are extremely important both inside and between
organizations. Poor communication has been an important contributor in many nuclear and
conventional accidents, and that is why the importance of communication should emphasized.
Management of safety and safety culture are based on the commitment of personnel at
all levels. The safety management system comprises the arrangements in order to promote a
strong safety culture and to achieve good safety performance. The safety management system
is generally considered to be an integral part of the organization’s quality management system.
273
Actually, these two are closely linked in an organization. The quality management system is a
system that describes all the activities and functions of an organization including those
activities that are related with the safety of the plant.
The regulatory body can effectively promote the safety management system of the
operator by promoting critical self-assessment and respective corrections within the operator.
The regulator avoids acting in a manner that diminishes the responsibility for safety of the
regulated organizations. This means that at first, the utility and operator are given a chance to
correct the situation on their own; but if the operator does not correct the situation then the
regulatory body has to act. Secondly, the regulatory body cannot give the solution to the
operator. It is the role of the regulator to make questions. If the regulator has observed
something, then the regulator should ask the operator “why did you not observe this by
yourself?” and “how will you improve your surveillance practices, so that you will observe
similar situation in the future?” And further, “what actions you will take to avoid a similar
incidents or similar failures in the future?” It is the role of the operator to take corrective
actions and be given a chance to respond. Then it is again the role of the regulator to review
these actions to see whether they are sufficient and only after that to ask for some additional
actions, if needed.
Systematic and standardized methods of communications are needed with the operator
and it is good if these standardized methods are described in the quality system. For example,
protocols of the meetings with the operators are needed. Regulators should not make any
decision on telephone or during conversations with the representatives of the operators.
Usually, it is also a good practice that representatives from the same levels of the regulatory
body and utility organizations participate in meetings. STUK has the habit never to take
decisions in meetings. Discussions take place over different alternatives, time schedules, etc.
but the decisions are made always later because of strict rules about who is responsible to
make a certain decision. It is also good if the regulator is service minded as concerns work
schedules and the availability of the regulatory staff. This is especially important during the
plant shut downs when modifications are made at the plant — the inspector should be
available at the time needed.
Especially important is the public commitment of utility management to safety. The
managers present a good example. The organizational culture can be best affected through an
example: what leaders or managers pay attention to what they measure and control that is
important. So, it is the example of the managers that is the most important in the developing
of organizational culture or safety culture.
The licensee and specifically the management of the organization has the full
responsibility for the safety of his plant. The responsibility of the regulatory body is to define
the safety requirements and to verify by means of inspections that the requirements are
fulfilled. This is the role of the regulatory body. The regulatory body promotes an atmosphere
of confidence and respect with the operating organization. If particular problems occur during
operation the regulatory body requests a solution to be proposed by the operating organization.
The regulator reviews the solution presented by the operator.
When studying the no blame culture, the important word is intentional. If the violation is
intentional then the regulator should give a penalty. For example, if a mistake is made by a
maintenance person, normally, it is not intentional. When analysing the mistake one often find
a root cause showing that it is not directly related to the person making the mistake but it
274
might be a poor instruction or lack of training. One should be very careful when giving
penalties to individuals who are at the lower levels of the organization and have little
responsibility.
Regulatory inspection of safety culture
The regulatory body can evaluate the operator’s safety culture. For the regulatory body
the most natural means are finding tangible evidence and weaknesses of safety culture. A
good approach is to search real events where decisions were taken under difficult
circumstances; these cases are assessed and conclusions are made. The Finnish regulatory
body is continuously trying to assess the safety culture of the utilities by making qualitative
assessments and trying to gather information on decisions of the utility for trying to recognize
early signs of deteriorating performance. Another possibility is the assessment of incidents:
what kind of decisions were made during and after the incidents from the safety culture point
of view.
There are early indicators, which characterize the safety culture of operators. At first,
some declining safety performance might be observed and if attention is not paid it could lead
to safety problems. Actions should be taken as early as possible and therefore, the early signs
of weakening safety culture are important. Often these early signs are minor and one cannot
take any regulatory action. The regulator can discuss with the utility about the early signs.
Resident inspectors have a good possibility to detect early signs of the safety culture because
they are all the time at the plant. During team inspections, one can collect data on decisions
affecting safety. In Finland, periodic safety review also includes a review of safety culture of
the operator and the operator is expected to perform self-assessment of safety culture.
Special surveillance programme is needed to collect the early signs of weaknesses in
safety. What kind of signs is to be looked for? A list of signs of declining performance in
management is taken as an example, because the management is the most important part of
the organization for the development of safety culture. The management should be an example
to the rest of the organization. That is why it is extremely important to notice the signs of
weakening safety culture in the management activities. Some examples are: lack of pro-active
approach to safety issues (the management only react to problems when they should try to
prevent problems); lack of management awareness and involvement in plant activities (if the
management is only doing some administrative work and never go to the plant that is a sign of
weakening safety culture); incomplete information reaching the top managers (how can they
make the right decisions if they do not have all the necessary information); management may
be unwilling to face difficult problems and correct them; STUK has also a safety indicator
“capital investment in upgrading the plant” which is followed from year to year. Another sign
is the long delays or failure to meet regulatory commitments.
Signs of weakening safety culture can also be found in the activities of other parts of the
utility organization. Sections 6.2.2 to 6.2.5 provide a list of issues for assessing declining
safety culture. A list of early signs of deteriorating performance in the operational activities of
the plant contains, for example, operator errors due to inattention to details, alignment errors
in electrical and mechanical systems; operator errors due to inadequate training and so on. To
be able to reveal this type of signs the plant failure data and trends of performance should be
studied very carefully. If the number of errors is increasing, it is a sign of poor performance
and weakening safety culture. Specifically, recurring errors should be looked at.
275
What strategy the regulator should use in the response to the findings? It depends very
much on the situation and it is difficult to present any universal guidelines. If only a few early
signs are observed, then the regulator monitors the situations and documents the inspection
findings in the inspection protocols. If the signs persist and new signs appear then the plant is
placed under special surveillance, and the regulator meets with the plant management,
describes the observations and asks for the response. At this stage, the signs may still be rather
weak and perhaps it is not possible for the regulatory body to present clear regulatory
requirements. If the utility does not take any corrective action, the signs of declining
performance can become clearly visible; then the regulatory body should have a meeting with
the highest level of the utility management and also present an official requirement, official
letter to the utility. If that does not help, if the utility does not take any corrective actions and
the situation gets worse and performance continuously declines then there is a need for an
enforcement action. The enforcement action depends on the severity of the situation and also
on the legislation, national culture, and the practices that the regulatory body has adopted in
the similar situations.
6.3.3.3. The use of risk insights in the Finnish regulatory body
In Finland, STUK applies risk insights in decision-making. The approach is used most
often in the analysis of plant modifications and operational events, in the analysis of Technical
Specifications and in the analysis of inspection and testing. STUK has been active in
promoting the use of PSA both at the regulatory body and at the Finnish utilities, and STUK
has set forth requirements in the regulatory guides. There is a regulatory guide YVL 2.8
especially for PSA applications. In official letters to the licensees, STUK has required the
utilities to perform plant specific, level 1 and level 2 PSAs for their plants.
PSA is used in a living fashion by the utilities and STUK. STUK requires that the
licensee use the results of PSA in support of decisions on operational safety issues. PSA has
got an important role in the regulatory process and in the safety management of Finnish
nuclear power plants. During the 70ies when current NPP’s were licensed, reliability studies
were made for the most important safety systems. No complete PSAs were made at that time.
In 1984, STUK required the utilities to perform plant specific PSAs at level 2 for the existing
NPP’s. Guide YVL 2.8 presents quantitative design criteria for core damage frequency and
radioactive release frequency and also for the most important safety functions; compliance
with this criteria is needed for construction and operating licenses. The criteria are merely
design criteria.
The utility needs to perform the PSA work or at least the main part of the work to be
able to really use the PSA in decision-making. The reason is that they will learn about their
plant and they will learn about PSA and then they are able to use the results of PSA in
decision-making. A procedure needs to be written for the use of PSA and for applications.
STUK requires the utilities to perform qualitative and quantitative uncertainty and sensitivity
analysis. This is important in decision-making applications. The utility needs to use PSA in
the design and construction phase, in the operation phase, and also in designing severe
accident management strategies. At the moment, the use of PSA during the operation phase is
actual, but one has to be prepared for the construction of the new nuclear power plant unit.
Utilities have presented to STUK seven different alternatives and in that connection they have
also presented the preliminary PSA results.
276
The basic reason to perform a PSA is the identification of main risk factors. That
analysis is used in the design of plant modifications. In Finland several safety issues have been
identified through PSA, the importance of which were not recognized from the deterministic
analysis. Now STUK requires that the licensees need to present the assessment of safety
significance of the proposed modification, independently from the safety class of the system.
The modification needs to be modelled in the PSA. The PSA model needs to be living so that
all the changes at the plant are included in the model as soon as possible.
During the operation phase, typical application of PSA is the handling of exemptions
from the Technical Specifications’ document, i.e. justifications are based on both
deterministic and probabilistic criteria. Probabilistic study is required from the utilities. STUK
has also analysed the Technical Specifications’ document from the risk point of view. STUK
does not perform on line monitoring of the operation of the plant based on monitoring risk
level. STUK has had a pilot project to develop a risk informed method for the in-service
testing programmes. Some emergency operating procedures have been written based on PSA
findings. PSA has also been used when severe accident measures have been designed for the
Finnish plants.
PSA can also be used for the analysis of events and incidents. At STUK the use of PSA
is a standard method to assess the safety significance of the operational events. STUK has
performed systematically follow-up studies. STUK has analyzed failures of devices covered
by the Technical Specifications’ document, preventive maintenance and operating events. At
first screening is performed and then selection which of the events needs to be analyzed in
detail. The results of the analyses are followed as indicators. The indicator is the conditional
core damaged probability relative to the annual core damaged probability. There are two types
of events that are analyzed. Risk follow-up studies are situations where a failure has occurred
without initiating event, e.g. there is an equipment failure at the plant unit. Precursor type of
events are the events where an initiating event included in the PSA has taken place with or
without failures. In these cases the probability of core damage is calculated based on the plant
response to that particular initiating event. PSA is also a very useful tool in finding and
analyzing common cause failures.
Since the PSA criteria are especially meant for the design of the plant, STUK does not
look so much at the quantitative criteria in the operational phase. STUK looks at the results of
one plant and especially how the plant could be improved based on the results. It is true that
the results depend to some extent on who has made the analysis and what kind of assumptions
have been made in that analysis. STUK reviews the analyses very carefully to know the
differences between the analyses and to know which is more conservative and what has been
taken into account.
The utility performs the PSA analysis in the first place. The regulatory body reviews the
results, the model and all the assumptions they have made. STUK also has the model available
so that STUK can make its own calculations. STUK can make sensitivity analysis with its
own assumptions and with unmodified model to see what is the impact of changes in the
model.
277
STUK can perform its own analysis. There is a group inside the regulatory body, about
six persons, capable of performing similar analysis as utilities do. They have a probabilistic
code that STUK has developed and a plant model that was received from the utility. The plant
model is combined with the probabilistic code and then STUK can perform the analysis; for
example, the analysis of plant events is performed by STUK.
7. EMERGENCY ARRANGEMENTS
The IAEA has developed guidance for the development of emergency response
preparedness for nuclear and radiological accidents [27–29]. The IAEA has also developed a
training manual for reactor accident assessment and response [30] and offers specific training
courses in the area. In the following emergency arrangements are described generally without
going into the very detailed level.
A regulatory body has two different roles in emergency preparedness and response.
Firstly the regulatory body inspects the emergency arrangements of the nuclear power plant
and follows emergency exercises organized by the NPP from the inspection point of view. The
regulatory body also approves an emergency plan — in many countries it is one of the
licensing documents. Secondly the regulatory body has its role in the case of emergency. The
regulatory body assesses the accident and may give advice to the rescue authorities on nuclear
and radiation safety depending on the arrangements in the country.
Response to a severe nuclear emergency will involve many national and local
organizations. In most countries the regulatory authority is only responsible for the emergency
preparedness for the practices it regulates. Thus a national level co-ordinating authority must
be designated. The national co-ordinating authority will ensure the functions and
responsibilities of operators and all response organizations are co-ordinated and adequate.
7.1.WARNING OF THE EMERGENCY MANAGEMENT AUTHORITIES
An emergency response classification system should be established for installations
that can have events requiring prompt implementation of urgent (e.g. shelter, evacuation)
protective actions. This system will initiate the appropriate level of co-ordinated emergency
response on and off the site. For each class of emergency, the responsibilities and initial
response actions of all response organization should be defined. Declaration of a particular
class of emergency will promptly initiate pre-planned actions by the operator and all response
organizations. There should be classes of emergency that initiate, as appropriate: an increase
in readiness; on-site actions to mitigate the consequences of the event; precautionary
protective action on and off the site to reduce the potential for deterministic health effects;
urgent protective actions to avert doses; emergency protection of workers; and international
notifications.
IAEA advocates an emergency classification system with the following three classes
(summarized in the table below):
a)
278
General Emergency is the highest level and is an accident with a substantial risk of a
major release. This includes accidents involving actual or projected damage to the core
or off-site doses exceeding the international guidance for taking urgent protective
actions. At this level, urgent protective actions are taken immediately by the public near
the plant. Nearby countries should also be notified. General Emergencies should be very
rare. The Three Mile Island accident in the USA and Chernobyl have been the only
accidents to date meeting these criteria.
b)
Site Area Emergencies involve a major decrease in safety. This class includes accidents
where one more failure would result in core damage. At this level, the response
organizations and public prepare to take actions. In addition, non-essential on-site
personnel should be evacuated or sheltered and all emergency workers provided with
emergency radiological protection. Environmental monitoring should be started. In the
USA, with 100 reactors, this level of emergency occurs one or two times every few
years.
c)
Alert is an emergency involving a significant decrease in safety. At this level the
response organizations increase their level of readiness. The USA has one or two
emergencies at this level each year, in many cases involving hurricanes, floods or other
natural threats.
Class Description
Alert
Site Area
Emergency
General
Emergency
On-Site Action
Off-Site Action
Decreased safety
Partial Activation of Response
Increase Readiness
Unknown Conditions
Assist Control Room
Major Decrease in Safety
Full On-Site Response
One more Failure Results in Core damage Evacuate or shelter non-essential
personnel On-Site
High Dose On-Site
Monitor
Substantial Risk of Major Release
Same As Site Area +
Actual or Projected Core Damage
Recommended Protective Action
to Off-site Officials
Fully Activated Response
Same Site Area +
Implement Urgent Protective
Actions near the site
High Dose Off-Site
Notify IAEA and near by
countries
A proposed classification system and associated actions taken upon declaration of an
emergency were published by IAEA [28, 29].
Whereas the responsibility for on-site emergency preparedness and emergency
response rests with the owner of the nuclear power plant (NPP), the responsibility for the offsite provisions is usually assigned to the local authorities. Being very rare, nuclear
emergencies are no full-time job for an authority. Therefore an authority expected to respond
to a nuclear emergency needs to be warned early and reliably in order to be in a position to
organize itself and implement effective countermeasures. Warning may be justified because of
a bad plant condition, a considerable release of radioactive substances or increased radiation
doses in the environment. IAEA recommends (as has been implemented in many countries
e.g. Germany), that emergency action levels (EAL) be established for classification of
emergencies. EALs are, as much as possible, observable (e.g. in core thermocouples >700°
C). When the EALs are exceeded the event is immediately classified and the appropriated
action implemented to include issuing a warning to the off-site emergency management
authorities Such criteria should address abnormal situations involving plant systems, fission
279
product barriers, weather, security, releases and environmental measurements. The EALs need
to be unequivocal, derived from quantities accessible to measurement and simple enough to
be applicable under the stressful conditions present during an emergency. IAEA has
developed guidance on classification systems and EALs [29]
Even if the public telephone system breaks down — as expected in a major
emergency — the availability of communication lines between the NPP and the emergency
management authority or the availability of radio frequencies must be guaranteed.
The severity of the warning must be adequate, the completeness of the information to
the authority is usually achieved by utilising standard forms and formats.
The unit to which the warning is directed needs to be on duty round the clock, needs to
know how to interpret the message, needs to be provided with a checklist on actions to be
started and needs to know to whom to convey the warning, especially during evenings, nights,
weekends and holiday seasons.
The international aspects of early and adequate warning are determined by the IAEA
Convention on Early Notification, similar agreements within the European Union, bilateral
agreements on the governmental and local level etc.
7.2. RESPONSE OF THE EMERGENCY MANAGEMENT AUTHORITY
The emergency management authority is expected to be prepared for quite a spectrum
of accidents covering the whole range between a relatively small, local contamination and
exposure of large populations. Consequently, the duties and responsibilities on the
governmental, regional and local level need to be completely and unequivocally assigned. It is
very important that all the response organizations agree the allocation of responsibilities.
Coping with the consequences of a major release requires fast and efficient co-operation of
various authorities being responsible for or surveying:
x
x
x
x
x
x
x
x
x
Declaration of an emergency;
Public safety and order;
On-site and off-site emergency management;
Communication and media;
Agriculture, trade and commerce;
Public health and protection of the environment;
Radiation protection and monitoring;
Traffic and transport;
Forecast of meteorological conditions etc.
Co-operation of such a complexity requires that a lead authority be nominated. All
authorities involved need to be warned and to be prepared in advance for their tasks and
responsibilities. Recruitment of personnel and requisition of equipment must be legally
possible. Police, fire brigades and several types of military units are in a position to act very
quickly and efficiently. Their co-operation should be foreseen in the respective service
regulations.
280
As a consequence of all these needs and requirements a complex set of laws,
regulations, service regulations and service rules need to be developed. The role played by the
regulatory and supervisory authority in the preparation and implementation of emergency
response depends on constitutional, political, practical and sometimes historical issues.
However, if the legal and regulatory infrastructure is not complete or conflicting, it is not
necessary to enact new laws before the emergency planning process can start. In fact, doing so
would most likely delay the implementation of an effective emergency response capability by
several years. A preliminary response capability, based on readily available information and
legal instruments should be quickly developed for use as input in the development of an
interim capability.
In addition to formal requirements, several practical experiences should be taken into
account. It is desirable that co-operating persons or units belonging to different authorities be
located at a similar level in the respective hierarchies. Skills and knowledge required from the
personnel in emergency situations should be based to the largest extent possible on their
routine tasks. Persons expected to co-operate in an emergency should be encouraged to
contact their potential partners regularly in order to be an experienced team on demand.
7.3. ASSESSMENT
The practical objectives of emergency response are:
x to take mitigatory action at the scene;
x to prevent the occurrence of deterministic effects in workers and the public;
x to render first aid and to manage the treatment of radiation injuries;
x to reduce, to the extent practicable, the occurrence of stochastic effects in the
population;
x to limit, to the extent practicable, the occurrence of non-radiological effects in
individuals and in the population;
x to protect, to the extent practicable, the environment and property; and
x to prepare, to the extent practicable, for the resumption of normal social and economic
activity
There are very fast moving events for which immediate action is needed to meet these
objectives. These events are identified in advance as part of a threat assessment. For these
events the actions (to include protective actions for the public) must be pre-determined and
implemented immediately when the need is recognized. That is upon declaration of an
emergency. There is no time for meetings to determine the response. Meetings and detailed
assessments are to determine the course of action for lesser events and to revise the
predetermined actions.
Decisions on protective actions need to be based on a set of assessments — preassessment for pre-determined actions and assessment of on-going situation — such as the
event classification, the assessment of the plant status, the characteristics of the (potential)
281
release (amount of radionuclides, nuclide vector, start, course and end, energy content,
physical and chemical properties), dispersion and deposition of air-borne radionuclides,
contamination and dose in the near and far field, health effects, feasibility, benefits and
drawbacks of protective actions.
It is extremely important to note that most of the assessments must comprise both the
diagnosis of the present state and the prognosis of future developments.
For severe accident (e.g. general emergencies) the facility and off-site officials should have
predetermined arrangements that will result in prompt implementation of the appropriate
protective actions without time-consuming activities such as meetings. However, as a rule,
once the initial actions have been taken, the emergency management authority can and will
not exclusively rely on the assessments made by the NPP, the manufacturer and other
members of the NPP’s crisis management team, but will convene its own expert team which
my comprise a liaison officer from the NPP, a radiation protection expert, a physician
experienced in radiation protection and trained in disaster management, a liaison officer from
the supervisory authority, a meteorologist etc. Nevertheless the expert judgement of the NPP
personnel is of outstanding importance. For longer lasting releases the need for shift working
of the emergency management team and its advisors should be taken into account.
The emergency management needs access to all relevant measurements and should be
entitled and in a position to initiate complementary measurements.
In the first phases of an accident, when measurements are not yet available or
incomplete, calculations with the aid of dispersion, deposition and dose models may be
important. The emergency management needs access to the result of such calculations
including meteorological forecasts of the national meteorological services.
7.4. MONITORING AND MEASUREMENTS
Operational intervention levels (OILs) should be predetermined for use following a
release. OILs are easily measurable quantities that are a surrogate for the international or
national intervention or action levels. OILs are the levels of radionuclides in deposition, food
or water samples or dose rates. In addition procedures should be in place to revise the
predetermined OILs based on actual event data. IAEA has guidance [28, 29] on OILs and
procedures for their revision. IAEA has developed detailed guidance on environmental
monitoring during emergencies [36]
Many European countries have already installed or are in the process of installing a
stationary network of monitoring devices that allow the determination of the local dose rates.
Following an event, the network is switched from the normal to the emergency operation
mode delivering results with an adequate frequency.
In addition, the availability of monitoring teams and of laboratories capable to measure
a considerable number of samples in case of an emergency is an important issue of emergency
response planning. Availability means preparations for the alert of the teams, provision of
sufficient equipment and vehicles, assignment of tasks, knowledge of both location of and
access to measuring points, availability of standardized maps etc.
282
Lines of communication between the monitoring teams, the labs measuring the
samples and the emergency management must function at any time. The transport of samples
to the labs is to be organized. All emergency response personnel need to be trained
periodically, the equipment must be checked and maintained. It may be necessary to develop
guidance for sampling, preparation of samples and for measurements.
Of paramount importance is the development of a measurement strategy. There is a
hierarchy in terms of kind and time of measurements. Fast measurement of air-borne
radioactivity, local dose rates and foodstuff for cows (iodine) is more important than the
contamination measurement of fruits and vegetables which can be harvested later.
Identification of key measurements necessary as a basis for decision making is much
more useful than the generation of a flood of measured data.
7.5. INTERVENTION
For an early release, very fast and efficient countermeasures forming an intervention
programme may be necessary. Prerequisites for successful implementation of an intervention
programme are established emergency preparedness concepts and emergency management
strategies. Main components thereof are:
x
x
x
x
x
x
A set of agreed countermeasures;
A basis for decisions on them;
The provisions necessary for their implementation;
Unequivocal assignment of responsibilities;
Availability of personnel and equipment;
Periodic training, exercises and up-dating of documents.
There is a need for conducting an assessment of practices in a country to determine when
and where immediate (emergency) action will be needed to meet the response objectives.
Protective action strategies must be pre-determined that meet the objectives for the full range
of possible emergencies. Criteria and decision-making processes are to be established for
promptly implementing of these protective action strategies. In addition the necessary
preparations are made for executing these protective actions.
Emergency preparedness concepts are very complex and are dealt with in the Basic
Safety Standards [33], jointly sponsored by FAO, IAEA, ILO, OECD/NEA, PAHO and WHO
and other IAEA documents [27, 28, 29].
IAEA recommends the following basic strategy for implementation of protective actions in
the event of a severe emergency (e.g. a General Emergency):
1) Immediately upon declaration of the emergency:
x Evacuate or substantial shelter of the population out to about 3–5 km6 (in all direction)
and
x Distribute stable iodine near the plant to about a 25 km radius7.
6
7
This area is referred to as the Precautionary Action Zone (PAZ).
This are is referred to as the Urgent Protective Measure Planning Zone (UPZ).
283
2) Once the release has occurred rapid monitoring is conducted to locate and, if necessary,
evacuate any ‘hot-spots based on OILs.
3) Finally restrict the consumption of freshly-produced locally grown foodstuffs, such as milk
from a privately owned cow, or garden-grown vegetables until measurements can be
obtained to confirm the need for such measures.
Kind, benefits and risks of countermeasures as well as the principles of justification
and optimisation of an intervention are internationally agreed, although the practical
implementation of optimisation is not yet solved in a satisfactory manner. Numerical guidance
for justification needs to be developed by each country in accordance with its national
conditions [33]but keeping in mind that differences between countries are difficult to explain
to the population. Both the method of and the ingredients to optimisation must be chosen.
In order to avoid confusion under stress conditions it is advisable to carefully specify
the criteria to be used during an emergency in measurable quantities (OILs) and not nonmeasurable dose concepts such as equivalent dose.
Obviously provisions must be made for effective implementation of the
countermeasures/protective measures. This would include addressing issues related to the
availability of iodine tablets, their mode of distribution and their dosage, the availability of
public means of transport for evacuation of the public, transients and special populations,
criteria for a judgement on the feasibility of protective actions under adverse weather
considerations.
7.6. PLANS, RESOURCES, WORK SHEETS, GUIDANCE
Fast and efficient emergency response is helped considerably by good plans based on a
system of sectors and zones around the nuclear facility, fixed sizes, numbers, positions and
labels of these sectors and zones, and an unequivocal assignment of duties and
responsibilities. Important issues in such plans are alarm and communication.
In order to avoid frequent sources of error, careful checks for consistency of terms
(wind direction), maps, sectors, zones and places of measurements should be made. Another
frequent cause of errors and delays are obsolete names, positions, duties, responsibilities,
telephone and fax numbers, and e-mail addresses in emergency response plans. Periodical
review and careful updating are indispensable.
Consequently, emergency plans may comprise the following Sections and sections:
x
x
x
x
x
x
x
x
x
284
Contents.
Emergency management objectives.
Document control.
Emergency management organization (including advisors and equipment).
Plant alarms and action levels (including which teams are notified).
Emergency response teams (including their own action plans and equipment to be used).
Maps, scales, sectors, zones and details of local populations.
Public protection intervention levels and action plans.
Communication.
In order to facilitate communication in case of an emergency, it is preferable to keep
those parts of the plans confidential which contain names, addresses, telephone and fax
numbers, e-mail addresses, etc.
Of great help may be guidelines and manuals such as catalogues of countermeasures
indicating the different kinds of action, key features, efficiency, basis of decision making,
guidelines and checklists for the development of plans, lists of physicians trained in
emergency response, of special hospitals and of premises with installations suitable for
decontamination of persons etc.
IAEA has provided guidance on the plans, procedures, facilities, organizations and other
elements of an adequate response program [28,29]
7.7. COMMUNICATION WITH THE MEDIA AND THE PUBLIC
Good communication with the public is a prerequisite of successful emergency
management. Such communication is not possible without the help of the media. The mass
media — i.e. the journalists — do not deal routinely with radiation protection issues, and if
they publish news on radiation protection, they do it with criteria different from those required
in an emergency. The knowledge of the public about the subject is limited as well. In
summary: News about a complex subject must be conveyed in a difficult situation by persons
with little knowledge to a population almost without any knowledge.
To provide timely information to the media and the public taking account of the
complexity of the subject, good relations with reliable journalists should be established and
carefully maintained. The way of communicating official statements should be agreed with the
media, pre-formulated modules of messages should be developed taking into account that an
information to the public should always comprise:
x
x
x
x
x
x
A statement about the characteristics of the accident.
A best estimate about the further development of the accident.
A statement about the reaction of the authorities giving evidence.
Competence of the authority.
Instructions about countermeasures — if applicable.
Assurance of periodic and adequate information.
The information must be concise and adapted to the knowledge of the average citizen.
Give the population a chance to make its own assessment, e.g. by comparing the exposure due
to the accident with the exposure due to natural sources.
In the countries of the European Union (EU) the application of the EU standards on the
information of the public — routinely and in case of events — is mandatory.
The international INES scale is designed for the purpose of informing the public, but as
a rule the public knowledge about the INES scale is small. If sirens are used for warning the
public, the familiarity with the siren signals should be promoted.
For an installation for which urgent protective action may be needed, the off-site
populations near the plant should be provided with information on their response during an
emergency on a routine basis.
285
7.8. DECISION SUPPORT SYSTEMS
IAEA recommends that initially decisions concerning protective action not be based on
dose projection models because of the great uncertainties associated with their use. Early in a
severe emergency, IAEA recommends that decisions on countermeasures be based on very
simple criteria that rely on observable data (EALs and OILs). However, for long-term
emergencies involving large atmospheric release resulting in large areas of contamination, a
computer-based support system many be very useful.
The European Union is promoting the development of a computer-based, real-time, online decision support system called RODOS. The Institute for Neutron Physics and Reactor
Engineering of the Karlsruhe Research Centre is playing a leading role in the development of
this system, RODOS-based emergency response courses were and will be conducted at FTU.
Supposed to be the main beneficiaries of RODOS the emergency management authorities
were requested to contribute as much as possible to the development of this system.
The RODOS system can provide decision support at four distinct levels:
x Level 0: Acquisition and checking of radiological data and their presentation, directly or
with minimal analysis, to decision makers, along with geographical and demographic
information.
x Level 1: Analysis and prediction of the current and future radiological situation (i.e. the
distribution over space and time in the absence of countermeasures) based upon
information on the source term, monitoring data, meteorological data and models (realtime, on-line).
x Level 2: Simulation of potential countermeasures (e.g. sheltering, evacuation, issue of
iodine tablets, relocation, decontamination and food-bans), in particular, determination of
their feasibility and quantification of their benefits and disadvantages.
x Level 3: Evaluation and ranking of alternative countermeasure strategies by balancing
their respective benefits and disadvantages (e.g. costs, averted dose, stress reduction,
social and political acceptability) taking account of societal preferences as perceived by
decision makers.
The RODOS system was or will be installed in many countries for research and
development and/or operational use.
There may be large uncertainties with projections of doses before and during a release.
Therefore early in an event protective action decisions are based on simple observable criteria
(e.g. indications of core damage), or operational intervention levels. Tools such as RODOS
should be used to reassess the initial decisions and for further decisions when more time and
information are available.
7.9. PROTECTION OF EMERGENCY WORKERS
All personnel performing actions to mitigate the consequences of the emergency
should be considered emergency workers. For example this includes drivers of buses used for
evacuation or police controlling traffic.
286
The dose received by emergencies must be justified and for this purpose the workers
can be subdivided into four groups in accordance with the following categories of works:
x Actions for saving life and/or preventing severe consequences. Such exposure is highly
justified, but should nevertheless not exceed the threshold for serious deterministic effects.
x Short-term recovery operations and/or urgent countermeasures affecting the public. All
reasonable efforts should be made to keep doses below an effective dose 100 mSv in a
year.
x Long-term recovery operations. These operations can be carefully planned, the workers
involved can be trained, medical supervision and dosimetry services can be provided. The
full system of radiation protection for workers should apply.
x Work not connected with the mitigation of the consequences such as routine work in
sewage treatment plants, exchange of air filters, farm work causing resuspension of
deposited radionuclides etc. It depends on the features of the accident whether special
radiation protection measures for these groups of persons are required. No numerical
guidance has been developed.
In implementing the system of protection for emergence workers issues such as the following
must be addressed: means to continuously monitor the doses received, field turn-back criteria,
and protection from all anticipated hazards (e.g. toxic gases). Care must be taken that off-site
emergency services personnel (e.g. fire fighters, police, medical) who may respond on site are
provide with adequate protective arrangements. IAEA has provided guidance protection of
emergency workers [28,29]
7.10. TRAINING AND EXERCISES
In accordance with 7.1 to 7.9, typical items of training may be:
x Tasks and responsibilities of all persons involved in emergency preparedness and
response;
x Planning basis;
x Assessment of plant conditions;
x Alarm criteria;
x On-site and off-site accident management;
x Equipment and provisions of the authorities;
x Importance of radionuclides and pathways of exposure;
x Kind and features of countermeasures;
x Criteria for intervention;
x Use of decision support systems, pc-programs and other supporting material;
x Information of the media and the public etc.
There is a series of tasks to be solved by the emergency management that require
periodical exercising. Examples are:
x On-site emergency management;
x Warning of the emergency management authorities;
287
x Co-operation of authorities, routinely operating in different areas or departments or on
different levels;
x Advice to authorities given by experts;
x Communication;
x Transboundary communication and co-operation;
x Early notification of boarding States IAEA;
x Ad-hoc development of a basis for decisions on countermeasures.
It is advisable to develop guidance for these subjects. The NPPs are usually obliged to
contribute to all types of exercises.
7.11. CO-OPERATION WITH NEIGHBOURING STATES
In addition to the long-range transport of considerable amounts of radionuclides the
Chernobyl accident had several unpleasant features causing confusion in the population:
x The long-lasting reluctance of the former USSR to inform its neighbours adequately on
what had happened;
x Differing governmental judgements about the situation and the implications for the
population; and
x Different intervention levels in the European states.
All efforts should be made to avoid such difficulties in the future. A good basis
therefore are the IAEA Convention on Early Notification, the corresponding agreements
among the EU States and many bilateral agreements on communication, liaison officers,
calculation models, intervention levels etc.
8. COMMUNICATION WITH THE PUBLIC
8.1. GENERAL INFORMATION
IAEA has developed guidance on communication with the public for the nuclear,
radiation and waste safety fields [37]. Regulatory role in public communication depends very
much on the national governmental practices. In some countries only necessary information is
provided by the regulatory bodies while in some other countries regulatory bodies try to be as
open and communicative as possible. Public trust on regulatory bodies is an important issue.
Also good safety culture practices include openness in communication. It is also necessary to
establish communication channels during normal power plant operation to gain the greatest
benefit in emergencies. If information is only provided during incidents or, even worse, if
information is not provided even then in a timely manner, rumours and public mistrust of
regulatory bodies prevail.
8.1.1. Role of the regulatory authority
The regulatory authority has a very important role in the communication of nuclear
safety to the population. It is the regulatory authority that establishes, controls, inspects and
enforces the nuclear regulations. It is often the first to be contacted when there is an abnormal
288
situation. The regulatory authority, as a body with independent functions to control the use of
radiation, is the appropriate organization for providing independent, neutral, balanced and
factual information about any issue related to nuclear safety in the country. This position gives
the necessary credibility to the regulatory authority. Nonetheless, a communication
programme must be in place to create and maintain this image.
The roles and responsibilities of regulators and licensees are different and so are their
messages. It is fundamental to transmit the message that the regulatory authority is responsible
for the national control of the use of radiation sources and not biased in favour of promotion
of the nuclear industry.
There are many difficulties in conveying messages on nuclear safety to the public. Much
of the difficulty relates to the technical language that experts use routinely in their work, and
therefore tend to use when communicating with others.
There are also more mundane problems with establishing a good communication
programme, such as:
x
x
x
The other duties of the regulatory authority in developing regulations; inspecting and
enforcing are commonly perceived to be more important and urgent. This can result in
only reactive communication taking place, i.e. Only when there is an incident;
The lack of dedicated personnel with a good level of technical expertise and a talent for
communication; and
The absence of an adequate budget for a communication programme.
The communication challenge for regulatory authorities is therefore to provide
independent, factual information to explain how they are ensuring the safety of activities
involving radiation and radioactive materials. In order to develop trust and understanding
between the regulatory authority and its audiences, communication obviously needs to be
open and honest, but the development of such a relationship also depends on regular and
consistent communication.
Clearly, the regulatory authorities have a particular need to communicate when incidents
occur or when issues are raised, but the communication in these ‘crisis’ situations is likely to
be much more effective if a relationship has already been established through regular routine
communications. Hence proactive communication about safety and regulation when there are
no incidents to report can be just as important as communication in response to events.
The channels of communication between regulators and licensees should be always
clearly identified and the communication should be constant, formal and official. Aside from
the routine interactions, two special types of communication that are also indicative of a good
relationship between those two parties are:
x Notification of unusual events — regulators should be kept informed by the licensees of
any unusual event related to safety conditions in an installation, even if this event is
unlikely to progress to an emergency situation. Permanent communication in crisis
situation avoids any contradiction or inconsistencies in communication to third parties.
x Feedback on recent safety developments and inspections completed — regulators should
inform the licensees about new guidance on safety matters, give feedback about inspection
289
reports on the installations or on radiological assessment due to an unusual event or
accident.
The communication of nuclear safety with decision makers, such as high level
governmental representatives and parliamentarians, facilitates political decisions such as those
related to the approval of adequate budget and organizational infrastructure for nuclear safety,
improves relationships and co-ordination of joint activities and strengthens the regulatory
authority as a whole.
If the regulatory responsibilities for nuclear safety are divided between a number of
different organizations, effective arrangements need to be made to ensure that communication
activities are coordinated to provide coherent information, or at least to avoid seemingly
contradictory information being disseminated by the different organizations.
One other perhaps less obvious type of communication responsibility is
communicating with regulatory counterparts in other countries. Such exchanges of
information and experience may be of assistance in carrying out not only the communications
role of a regulatory authority, but also in discharging its other responsibilities. International
communication between regulators can range from informal bilateral or regional exchanges to
the much more formal process of exchanging information under the terms of intergovernmental treaties such as the Convention on Nuclear Safety or the Convention on Early
Notification of a Nuclear Accident.
Regulatory authorities are encouraged to consult more broadly and to work with
technical universities, NGOs, professional organizations, etc. in order to exchange
information, increase awareness of regulatory authority work and get acquainted with new
scientific and technical developments, to understand and address the concerns of the scientific
community.
This publication does not refer to the issue of regulations by the regulatory authority.
However it is recognized that nowadays more and more lay persons read and analyse the
regulations for several reasons: e.g. as a user, an NGO, or simply as a critical observer.
Therefore, the preparation of regulations should take into account this fact to avoid any
misinterpretation of the content due to a lack of careful explanation of any technical term or
procedure.
8.1.2. Fundamentals of nuclear communications
Communications are a specialized field that should be placed in the hands of trained
communications experts who work in consultation with experts from the nuclear area. Just as
the control of nuclear technologies is a specialized field, so too are communications.
Experience has shown that poorly managed communications contribute to lower levels of
safety and to an antagonistic environment in which nuclear professionals lose their most
important resource: the trust of their constituents, including political authorities and the
public.
Internal and external communications are equally important. An effective internal
communications programme will strive to make the organization a team that clearly
understands and respects one another’s different yet equally important roles. This will
290
contribute to a more effective organization that can better serve the public interest. An
effective external communications programme will represent the opinions and expertise of the
organization to external audiences thereby reducing or preventing misunderstanding and thus
increasing safety. The programme will also try to understand and to present the opinions and
findings of these external audiences within the safety authority so that these opinions are
reflected in the final service offered to society by the regulatory authority.
Most people want to have information about nuclear topics. This interest does not mean
that people will seek out information on these topics. People are overloaded with information
and must be selective about what they spend their time learning about. Most people only pay
attention when they hear about an accident. Therefore it is better to assume an audience knows
relatively little — positive or negative — about any particular topic. In many cases they may
not have thought about the topic before. The lack of basic information may be surprising to
professionals who work with the subject on a daily basis. A majority of people does not know
what percentage of their electricity comes from nuclear energy or are even able to recognize
the radioactive trefoil sign indicating the presence of a radiation field; this has led to several
radiological accidents.
Lack of information does not mean that people are ignorant. Each target audience needs
to feel that their intelligence is respected. Responding to concerns with numbers like “well,
your risk of contamination from a transport canister is 10-3, is too scientific and may be
interpreted as cold and uncaring. A simple, factual explanation which puts the situation in
context is more effective: “if you stand next to this transport canister for 24 hours you will
receive the same radiation dose as an 8 hour airplane flight”. People are not impressed with
scientific risk assessments that show how safe nuclear energy is compared to other energy
sources. They think more about the consequences of an accident or radiation exposure than
about the probability of its occurrence. This is especially true for women who tend to be more
concerned about the future. Risk assessment should be explained as part of a context, how it is
used to improve safety technology and also in debates with technical specialized audience.
Just as knowledge of nuclear technologies is needed to reduce the risk of
mismanagement of radioactive materials, communication can help to reduce the risk of
misunderstanding fed by fear and rumour and consequently increase safety. It is clear that
communications cannot correct a technical error. However, technical excellence is no
guarantee against unsubstantiated fear and the reprisals that accompany such fear. The first
rule of communications is honesty and transparency in place of silence and suppression.
Excellence in operations and excellence in communications are mutually reinforcing concepts.
To be truly effective, the message must address not only the listener’s wants, it must
also address their often unspoken needs. Communication connects the message to basic
values. These basic values include security, safety, trust, right to choose and freedom.
A long-term relationship with one’s audiences, nurtured over the years, is among the
most important investments nuclear professionals can make. It is the foundation upon which
to build trust. Without trust and some degree of predictability, one’s relationships can be
turbulent or even disastrous.
A communications specialist should be placed within the executive committee of the
regulatory authority to assure their expertise is well integrated into the decision making
process of the organization. Experience has shown that not placing communications at the
same level of importance as operations, finance, or legal functions can have disastrous effects
in times of critical importance.
291
A high level communications expert should be trained with the knowledge of how to
use a variety of specialized media, including various forms of writing, speaking to the public,
media relations, publishing, community relations, and social science research and programme
evaluation to achieve the regulatory authority’s goals. Each field requires specialized
knowledge as well as a large investment in training. Each regulatory authority will have
different requirements, depending on the types of technologies they regulate and on the
cultural characteristics of the country.
The basic objective of nuclear communication from the point of view of the regulatory
authority is to keep the public informed about the facts on nuclear safety, and especially, its
own role in controlling the use of radiation in the country.
To develop a comprehensive communication programme on specific issues, five
elements are needed:
x
x
x
x
x
Clearly stated programme objectives;
Identification of the audience according to the objectives of the communication
programme;
Opinion research of audience(s), to identify the need and the messages to be
communicated and the channels of communication;
A management plan with clearly stated goals for each audience that will help to achieve
the objectives, and which considers a number of options; and
An evaluation plan to incorporate lessons learned in future planning.
8.2. COUNTRY SPECIFIC APPROACHES AND EXPERIENCE
In the following one country example is provided to illustrate the regulatory role in
public communication. The example is based on reference [38].
8.2.1. Establishing a public information policy in Finland
A policy of total openness in information about operating experience of nuclear power
plants and other nuclear safety issues was adopted by STUK at the initial start-up of the first
commercial reactor in Finland in January 1977. Quarterly reports describing the operating
events have been published regularly starting from the first quarter of 1977, and event specific
press releases have been issued promptly as needed.
The reporting policy and approach was presented to the news media in a press
conference in December 1977. That first press conference by STUK was attended by a good
number of prominent press people, and our main message was well received. The message
was that all events of interest will be reported and the reports are available to anyone who asks
for them. Since then reporting has become a part of the normal routine.
The attention that was focused on STUK and its employees after the Chernobyl accident
has also resulted in a wide acknowledgement of STUK and its role as a regulatory
organization. Today, both the news media and the general public are actively contacting
STUK whenever they want to get information on nuclear safety matters, or to check
background for nuclear power related information received through international news
agencies.
292
In recent years STUK has significantly extended its activities on nuclear safety related
communications. There are now four full time communication experts working in the area
who can be reached at any times, days and nights.
The work can be divided into three different types of activity:
x Writing, publishing and distributing educational material and background information for
example by means of STUK’s own website leaflets, PC diskettes, teletext, “ALARA”
magazine, and organizing meetings with journalists and other interested groups.
x Providing timely information on nuclear safety related events in Finland and abroad. The
timing of publishing the domestic information (promptly or in periodical reports) is
defined in STUK’s internal guidelines, and depends on the estimated interest and public
concern; and
x Responding to the information needs which are indicated in the form of questions from
political decision makers, other government authorities, journalists, or members of the
general public.
An important point to be noted by STUK staff in all communications is that one should
not give an impression of promoting the use of nuclear energy. This is a delicate topic and
misunderstandings can be possible while the authority tries to alleviate unnecessary concerns
in people’s minds. The duty of STUK is to present the facts as clearly as possible, and give the
reader or listener the opportunity to draw his/her own conclusions. The systematic use of the
INES scale has also been most helpful.
8.2.2. Criteria for reporting operating events
The main rule is that STUK reports to the public all events that are safety related
(including events categorised as INES level 0) or which may for some other reason be of
general interest. A question to be asked in each case is: how and when to report? There are
three possibilities:
x Events of great public concern that require immediate information using methods
developed for emergencies. In such cases it is not enough to consider the information
issue alone, and the whole situation would be handled using STUK’s emergency plan and
arrangements;
x Events not requiring emergency measures but prompt reporting on the same day. Support
for decisions on reporting in such cases is given in an internal STUK guideline. If prompt
reporting is needed, a further question is whether to issue a separate press release and send
it by fax to news media and authorities included in our mailing list, or just to make the
information available through various telecommunication tools; and
x Events that will be described in quarterly reports only.
The internal STUK guidelines say that prompt reporting should be done whenever an
event is likely to be classified INES scale 1 or higher.
293
Besides the safety related events, STUK has also found it necessary to report certain
other events that typically raise concerns in people’s minds. The reason is that in one way or
another such events may penetrate to the news or cause false rumours, and then it is difficult
to explain what really happened and why it was not reported. Examples of such events are:
x Leaks of radioactive water within the plant or into the environment, irrespective of the
level of radioactivity, and in some cases even a leak of clean water if the leakage is large;
x Abnormal events in handling nuclear materials or nuclear waste;
x Fire anywhere on the plant site which results in alerting the fire brigade;
x Worker related accidents where a person is admitted to hospital as an emergency case, or
receives a radiation dose or internal contamination that requires special investigation; and
x Unplanned reactor shutdown or load reduction, for instance as a consequence of a
technical failure or abnormal natural phenomena.
8.2.3. STUK’s quarterly reports on the operation of nuclear power plants
Quarterly reports on the operation of Finnish nuclear power plants describe events and
observations related to nuclear and radiation safety that STUK considers of safety
significance. Before issuing a report comments are invited from utilities. The reports are
written for the layman. Thus, for example, the meanings of all technical words are explained
and no acronyms for systems and devices are used.
A quarterly report contains a description of nuclear power plant operations (i.e.
diagrams of daily gross power, production data, causes of power reductions, shutdowns and
outages). Events which are reported are described from the viewpoint of nuclear safety and
INES levels are indicated. An event description includes the following subjects: safety
oriented title, short description of what happened and what was safety significant
(introduction), description of the system which failed, a detailed description of the event, root
cause (if known when producing the report) and improvements made to prevent recurrence.
In the report’s Section on radiation safety, occupational exposure at Finnish nuclear
power plants radioactive releases and the results of the environmental monitoring are
presented. The report also contains descriptions of plant safety improvements.
The annual number of events at the four Finnish nuclear power plant units reported in
STUK’s Quarterly Reports in 1990–1998 varied from 11 to 24. Examples of event types are as
follows: partial unavailability of safety systems, reliability of a safety system compromised,
small fuel cladding leaks, minor radioactive contamination, minor doses to workers (well
below the dose limits) and procedures violated. Most events have been classified as level 0 on
the INES. The highest INES level of incidents reported in this period was 2.
The quarterly reports are distributed to the Finnish press and media, authorities,
utilities, research institutes, and municipalities near nuclear power plants. Altogether in the
mailing list there are about 180 addresses in Finland. The reports are translated into English.
294
These translated reports are distributed mainly to foreign nuclear regulatory bodies, and
altogether about 80 reports are sent all over the world.
Response of the news media and credibility of STUK
The news media has treated the information provided by STUK in a constructive and
professional manner.
The information provided by STUK serves its purpose only if it is considered credible
by the people who receive it. It is STUK’s own assessment that it is taken as a quite credible
source of information. Such an assessment can be based on the way it is treated in the news
media and on private discussions with outsiders. Also, the recent survey studies indicate that
people consider STUK the most credible source of information in the field of nuclear safety.
8.2.4. Technical tools to offer prompt information
STUK’s technical communication tools provide information promptly and conveniently.
STUK’s teletext pages on the state owned TV network and the new section on www.pages are
normally updated approximately once a week. During an incident they are updated as often as
needed. Information normally concentrates on subjects of common interest, such as the use of
radiation and nuclear power in general. In case of an abnormal situation the tools can be used
to transmit information such as protective action recommendations to the public.
Each Friday the information services publish a telefax bulletin called “Weekly
Information”. It includes all the radiation news reports released during the week. The bulletin
is faxed to the relevant authorities. The STUK's radiation fax service is also updated on
Fridays. People can order the weekly information bulletin to their own fax machines from this
service. The fax service may also include recent press releases and background information on
radiation and nuclear safety.
8.2.5. Communication is intensified during an incident
STUK's policy is to start informing people about an incident immediately, even if not
all the facts are yet available, and also when there is no need for protective actions. If we did
not begin communication at our own initiative, we could be accused of trying to hide valuable
information. If the trust of the public and the media is lost, it might be extremely difficult or
even impossible to win back.
Informing the media aims at keeping the public aware of the situation and its
consequences, explaining the actions of the authorities and preventing rumours from
developing. If communication with the media is handled properly, it is an effective tool in
managing the situation.
In a radiation incident situation STUK's role as an expert organization intensifies.
STUK collects information and forms a judgement based on this information and on the
STUK's own monitoring results. Thereafter the STUK may recommend protective actions.
Naturally, prompt communication with the media is necessary, as well as smooth coordination between different authorities and the STUK's internal departments. The goal of our
on-call system is to start operations within 15 minutes of the first notification, at any time of
day or night.
295
The STUK uses fax report forms for urgent notification of the situation. Two of these
forms may also be faxed to the mass media. Their purpose is to give immediate and basic
information on the incident for public information purposes. The addressees receive the report
forms by a system called “multifax”. The forms are faxed to a telephone company that then
distributes them to different recipients almost simultaneously. The recipients are combined
into different groups. Each group has its own telefax number programmed in the STUK fax
machine. STUK sends a message to this telefax number and the telephone company then
distributes the message to all the recipients in the same group, e.g. to about one hundred press
offices and radio and television stations.
After the forms have been sent, press releases can be written and faxed by the multifax
system to the media, the authorities and always to the STUK's own departments. Depending
on the situation, press releases may also be faxed to the nuclear power utilities, local
laboratories and regional emergency centres. Press releases can also be reached on www.pages
and modified versions will be transmitted to the teletext.
Because a radiation incident almost certainly gives rise to an enormous need for
guidance, telephone lines can easily get blocked. If the situation calls for extensive guidance, a
group of experts can be formed to provide instructions to the public by phone.
STUK is prepared to give 10–15-minute situation descriptions for staff members and
journalists during an incident. These press conferences will be held at the auditorium every
hour and as soon as there is a change in the situation. Since it would be inconvenient for the
journalists to constantly travel between their offices and the STUK, STUK can provide a
temporary press centre for them at STUK library, which is situated close to the auditorium.
The press centre offers additional telephones, fax and copying services, and background
information.
An emergency may require centralising the authorities' public information activities. In
such a situation a national information centre can be set up at the information unit of the
government (state council). This centre will co-ordinate public information with the
authorities concerned, but the authorities are required to continue public information in their
own sector as well. The national information centre can also invite information officers from
other state authorities to give practical help in order to cope with an eventual massive demand
for information.
A communication programme must be tested in practice. So it is regularly evaluated in
emergency exercises held at the STUK. This has been intensified by inviting journalists to
participate in or observe the exercises, or by having staff members simulate the mass media
and the public.
Communication continues after the incident
After the incident is over, the need for communication continues. Explaining the
reasons and the results, giving guidance, and estimating the future development, as well as
reporting improvement of activities, may last for years. The incident may cause long-term
concern among the public, which can be diminished by continuous communication, e.g. the
information about the consequences of the Chernobyl accident was still being provided 10
years after the accident.
296
8.2.6. The INES classification is a useful tool in informing the public
The International Nuclear Event Scale (INES) [39] as been in use in Finland since the
very beginning, i.e. since 1990. The scale has been a useful tool in the STUK's information
policy, for putting incidents into perspective for media use. STUK has required the utilities to
submit a proposal for an INES level. STUK then decides the INES level of an event. The
proposal of the utility should be available in STUK so that the INES level can be used when
informing the public about the event.
STUK reports to the IAEA on INES ratings as required. Events classified as level 2 or
above, and also events having public interest internationally, will be reported to the IAEA.
The INES levels of events in other countries that are reported to STUK through the INES
network are also used when STUK informs the Finnish media about these incidents if the
INES levels are available at an early stage.
STUK has produced a leaflet in Finnish, based on the IAEA’s leaflet describing the
INES levels. Figure 19 presents the International Nuclear Event Scale (INES) for prompt
communication of safety significance of incidents and accidents. Appendix VI presents more
detailed description of the INES including examples.
FIG. 19. International Nuclear Event Scale (INES) for prompt communication of safety significance
of incidents and accidents [38].
297
8.2.7. Observations about crisis communication
The following issues should be taken into account when crisis communication is
planned:
x An active and timely communication policy can prevent false rumours;
x There has to be a constant flow of information — people have different ways to receive
the messages;
x The information should be timely;
x The source of information should be reliable;
x When possible feedback should be used such as experts answering telephone calls on
radio or television;
x Deliberately false information will be found out and will harm future communications;
x Human beings are both rational and emotional beings — the psychological aspects of a
crisis should be analyzed and considered; and
x A crisis may create lasting psychological traumas — sometimes post-traumatic
communication care is needed.
How to communicate with the public
The following key issues should be remembered:
x The information must be easily available;
x The information must be understandable. Use everyday words and avoid professional
language. Short sentences with active verbs are better understood; and
x The information must be memorable, especially if it contains advice and
recommendations. A message of an incident or accident should include time and place,
involved persons, cause and consequences. The message is best remembered if you can
repeat essential facts.
Complaints about public information
The following complaints have been collected concerning provision of information
during accident situations:
x Too late, too little;
x Hiding of important information;
x Too many sources of information, no co-ordination;
x Nobody in charge of communication;
x Too much difficult language;
x Too many rumours;
x Wrong attitudes about communication;
x “They know more but they do not want to alarm people”;
x Very difficult to find anybody to give information — when finally found the one could not
explain difficult material well; and
x They did not understand its psychological importance for a common person. They kept
talking about technical details.
298
APPENDICES
Appendices I to III provide three examples of safety development when operating
procedures and emergency operating procedures of a nuclear power plant are concerned, i.e.
x Evolution of operating manual in Germany.
x Complementary procedures aimed at coping with the complete failure of redundant
systems in France.
x Preparation for the management of severe accidents in France.
Appendices IV and V provide examples of nuclear safety standards, i.e. a list of the
IAEA Nuclear Safety Standards and as a national example a list of Finnish Regulatory YVL
guides.
Appendix VI presents the IAEA INES scale that is an important tool in public
communication (classification of events).
Appendix VII presents a typical training course related documentation for organizing the
training course on regulatory control of nuclear power plants.
299
Appendix I
EXAMPLES OF EVOLUTION OF AN OPERATION MANUAL —
OPERATING PROCEDURES
Operating procedures for normal operation
For normal plant operation of a nuclear power plant — such as plant start-up or
shutdown — there are written instructions laid down in the “operation handbook”. These
instructions enable the operators to bring into (or take out of) service single systems or other
components — each manual operation is described in detail step by step. Therefore the written
instructions often are designed like check lists. In some cases theses instructions have a
logical structure which can be read like the source code of a computer programme (IF ...
THEN ... ELSE). This logical structure sometimes exists separately as a complementary short
version of the detailed check list and is used by the shift supervisor while the operators switch
at the console in the control room or operate in plant areas by means of the detailed version. In
other cases there is only one version that has an integrated logical structure.
Besides instructions for plant operation the operation handbook that consists of
numerous folders (up to 100 — and even more) contains system drawings, valve lists, tank
protection sheets and other technical paperwork for each single system. The content of all
system folders are identical. For example, authority regulations for safe NPP operation, repair
time catalogues and organizational regulations are part of the operation handbook.
The layout of the operating manuals varies between different plants even between
those of the same manufacturer. Nevertheless there exist common fundamental requirements
covering the content and the design of the operation handbook in most countries (e.g. safety
regulation KTA 1201 in Germany).
Operating procedures for abnormal conditions
One of the major design principles of a nuclear power plant is to protect the integrity of
the reactor core and to prevent significant radioactive release to the environment during
accidents without requiring urgent reactor operator actions. Therefore nuclear power plants
are equipped with automatic protection systems which monitor the plant status continuously
and automatically actuate safety systems if important plant parameters reach pre-determined
safety limits (reactor protection system).
The main task of the reactor protection system is to bring the plant to a stable safe
condition in a limited period of time
During this time the operating personnel have to diagnose the plant status to find out
what kind of accident happened and then — following the “event-oriented” procedure — shut
down the plant to cold, subcritical status. The traditional approach throughout the nuclear
industry is to have operating procedures for certain postulated events that have been analyzed
and discussed in the safety analysis reports. The procedures formerly were only limited to
single initiating events followed by successful operation of safety systems designed to respond
to those events.
301
In the last decade the strategy of accident control has been extended to include
consideration of:
x Design accidents with additional problems (e.g. steam generator tube rupture with
additional disturbances, event tree);
x Combinations of different design accidents (e.g. steam generator tube rupture and main
steam line break at the same steam generator inside containment).
Meanwhile the available operating procedures cover such additional problems and the
plants´ safety systems have been back fitted during the last decades to enable them to cope
with such accidents.
Although the “event-oriented” operating procedures today are well prepared and tested
on full-scope simulators there remains the risk that an event does not progress as predicted.
Event-oriented procedures have a limited scope and they cannot address a variety of multiple
failures or events that have never been foreseen.
So some events (of a very low probability) may not have an applicable procedure, in
other cases more than one event procedure must be used at the same time, which could cause
severe contradictions when using different procedures. For these so-called “unexpected
events” other strategies and related paperwork have been developed i.e. the “safety function
oriented procedures” (“symptom-based procedures”)
The idea of this strategy is the independent monitoring of the fundamental safety
functions immediately at the start of an event e.g. after reactor trip (simultaneous to the
“event-oriented” diagnosis):
x
x
x
x
x
Sub criticality;
Prevention of radioactivity release;
Core covering;
Heat transfer;
Storage of cooling water and energy supply.
If it is found (whether automatically or by means of human supervision of certain plant
parameters) that one of the safety functions is impaired or that there is no applicable “eventoriented” operating procedure, the “safety function oriented management” of the plant
becomes necessary.
In such situations the shift supervisor has to alert the members of the Accident
Management Team to be prepared for emergency actions. In the so-called “Safety Function
Handbook” (which in some cases is still in the licensing process) the operating shift team can
use written instructions to re-establish a safe condition of safety functions that do not
contradict any instructions laid down in “event-oriented” manuals may be applied
simultaneously.
For certain events with very low probability there is an “emergency handbook” (which
in some cases is still in the licensing process) covering instructions such as primary and
302
secondary side feed and bleed or containment venting. The use of these instructions needs
permission from the Accident Management Team (station management).
Logic and organization of procedures
To be fully comprehensive and effective for use by operations personnel, operating
procedures for abnormal conditions must meet the following objectives:
x Continuous maintenance or prompt restoration of all critical safety functions;
x Early plant stabilisation from transient conditions;
x Optimum long-term recovery of the plant after the event has been sufficiently diagnosed.
It is important that the procedures provide symptomatic and adequate guidance from
the beginning of an event or transient so that operating personnel can provide appropriate
responses without having to rely on memorised event response when facing a complicated
event. Good procedures should assist operating personnel giving priority to the most
important matters and information and thus avoid confusion caused by numerous alarms and
misdirection to less important matters and information. The relation between action levels and
procedures must be clearly and uniquely defined. It is important that the relative priority of
action levels and procedures be clear in case of more than one action level occurs
simultaneously.
After an abnormal condition, the first tasks are to verify the correct response of key
plant systems and to take corrective action on any malfunctions. These immediate responses
can be common for a variety of events. Thus, the procedure to be entered first should be
written so that it is applicable without detailed information on the initiating event. Procedures
should be established to assist operating personnel in the event of certain unique failures or
failure combinations which are of general concern and which require procedures with a
strictly limited scope. Examples of these are Anticipated Transport Without Scram (ATWS),
total loss of electric power supply and failure combinations of relatively higher probability
which may affect entirely safety systems if not managed correctly.
Procedures for monitoring, maintaining and restoring critical safety functions should
direct operating personnel towards taking appropriate actions without having to wait for
diagnosis of the specific event. Such action should not need to be an optimum response but
should protect or tend to restore critical safety functions without delay. These procedures are
intended to be applicable to plant conditions regardless of the event sequence that leads to that
condition. The “safety function handbook” should correspond to the alarm actions to alert the
accident management team early.
Additionally, clear and unambiguous criteria for entering emergency procedures must
be established in these procedures.
Procedure format
Care must be taken to assure that procedures for abnormal conditions are presented in a
style that is clear and useful to operating personnel during such conditions. A consistent
design should be used throughout the procedures. They should be easily identified from other
303
plant procedures (colour, registration number, storage). The procedure title should be short
and descriptive so that operators will quickly know the abnormal condition to which it applies.
Full quality and document management procedures should apply to such documents,
including appropriate referencing of pages and periodic review of material presented.
Explanatory information is to be avoided, except when a brief indication of scope or
purpose is necessary (e.g. headlines above certain operation steps, like “activate boron supply
system”). The procedures shall be limited to “action/verification” steps along with
“warning/caution” and short “notes”.
Procedural guidance shall be presented in short, concise steps in command form useful
in stressful situations. Each step should cover just one action or a group of actions that form
an entity and can clearly be referred to with a common command.
For each action, consideration should be given to providing a contingency in case the
desired result is not achieved. Contingency measures should be presented in a way that will
avoid operating personnel looking at them if the plant responds as expected.
“Warning/cautions” and “notes” should not include any actions. These should be presented in
a format that clearly differs from the action steps. They should directly precede the action step
to which they apply so operators are made aware before taking the related action.
Words and definitions used in the procedures should facilitate prompt recognition and
understanding during abnormal conditions and that should be used by the operating personnel
during such situations. There should be consistency with usage in training for abnormal
conditions, control room labelling and other plant procedures. A consistent format for use of
conditional statements should be followed throughout the procedures. Make instructions as
simple as possible — use the logic words “IF ... AND...OR...THEN...NOT...IF NOT” ....and
so on.
To ensure that operating personnel are familiar with the format of the procedures for
abnormal conditions, the procedures for normal operation should, ideally, have the same
structure and follow the same principles.
It is less important how the procedures are designed — the main objective is, that they
can be read easily and are accepted (and improved) by the operating personnel. The authors of
the procedures should observe operating personnel during training at the full-scope simulator
when using their manuals!
Authors of procedures
Authors of any kind of operating procedures should have practical experience of the
jobs done by the individuals to whom they apply. Authors of procedures for abnormal
conditions should possess a shift supervisor licence and several years of practical experience
in this position. Additionally they should currently be involved in plant specific safety
analyses, procedure updating, plant operation and training of the licensed shift personnel.
Experiences as part-time full-scope simulator instructors are helpful. These experts should be
involved in the competence verification of the licensed shift personnel.
304
Training in the use of procedures
The best way to teach operating procedures is using a plant-specific full-scope
simulator, because this gives the most realistic conditions. If such a training tool is not
available, a technical information package should be prepared to supplement the procedures. It
should, document the technical basis for the procedures, on one hand, and, on the other hand,
convey the author’s intent to those applying the procedure. Such a technical package would
serve as a training aid during classroom training of the operators and it would minimise the
need for explanatory notes in the actual procedures. The comprehensive technical description
should contain all relevant technical background information. This information is especially
important when considering possible future modifications.
The descriptions could cover:
x
x
x
x
x
x
x
x
x
x
x
x
x
The reason for the chosen method;
Why certain methods were avoided;
A step by step discussion of the procedure to make it clear why each step is taken;
Design concepts and regulations applied;
Any unexpected or extreme physical, thermodynamic and hydraulic phenomena;
Other actions, which for certain reasons are not discussed in the procedure — but which
could however be performed;
An explanation of which possible methods are preferred for specific conditions;
References to related analyses and computations;
Further long-term measures;
Results from full-simulator training sequences;
If available — analyses and reports of events in other nuclear power plants;
Pictures taken of the control room or plant areas which will enhance understanding;
A set of questions for repetition and tests.
Current computer technology offers new training methods. At RWE Energie AG,
Biblis NPP Training Centre a “Web-Based” training tool is under development (1997). With
this operating procedures will be available in the Biblis NPP´s own Intranet as web-pages
together with self-explanatory links (descriptions, photographs, videos, animated graphics,
voice recording).
General recommendations
Operating manuals should always reflect the highest standard of practical plant
operation — which means that regular updates are necessary. The manuals must be designed
ergonomically for practical use in the control room and in plant areas. Technical parts of the
Operation Handbook (drawings, valve lists, limits) should be kept up-to-date by Technical
Support Groups. Direct operating instructions (check-lists, step-by-step procedures) should be
prepared and updated by experienced operations engineers with experience of working in the
control room (e.g. shift supervisors). Drafts of modified procedures should be tested at the
full-scope simulator before being approved for unrestricted use.
Operating manuals should always be used during training to make the operating shift
personnel familiar with this working tool. Training objectives being used for competence
verification of the operation shift personnel should be deduced from the operating manuals.
305
Operating manuals should not be considered as “just another document needed for licensing a
nuclear power plant” but as “the most important working tool of the operations personnel”.
The operating shift personnel should be trained and called on to optimise the manuals
currently by their own practical experience. During the lifetime of a nuclear plant all essential
operating experiences needs to be captured and retained in the Operation Handbook. This
becomes important especially when a generation of shift personnel moves on after some years.
306
Appendix II
COMPLEMENTARY OPERATING CONDITIONS
Origins
Since 1973, American safety organizations had been discussing the possibility and
possible consequences of a failure of the emergency shutdown system associated with a
transient (anticipated transient without scram, or ATWS). Emergency shutdown is, in any
case, a redundant system, therefore answering to the single-failure criterion. The French safety
authorities extended the implications as of 1975, requiring EDF to study the probability and
consequences of a complete failure of safety-related systems, in constant or frequent use. The
systems involved are those ensuring power supplies, those ensuring heat sink availability and
its associated equipment, and those ensuring core cooling via steam generators. In general,
these functions are ensured by several redundant systems.
A good electrical supply system would be one that had two relatively independent
supplies from the grid network, a means of supplying their own systems by operating at
reduced load isolated from the grid network, plus two or more diesel supply systems. The
safety duty would then be capable of being met by any one of these supplies. During reactor
operation, core cooling is ensured by the steam generator normal feedwater system. This
system is redundant. Should it fail or the turbine become inoperable, the reactor is shut down,
and the steam generators are supplied by means of the auxiliary feedwater system (AFW),
which itself has built-in redundancy. The single failure criterion is thus fully catered for.
Preliminary investigations on the subject were called “beyond design basis” studies, an
expression reserved for studies of very serious accidents whose probability is low. They in
fact related above all to operating conditions “that went beyond the scope of conventional
design”. To appreciate the advantage and importance of these new studies, a basic reference
was needed. The safety organizations then suggested that the probabilistic references used for
external hazards be used.
The position of the safety authorities
In 1977 and 1978, the SCSIN defined, in two letters to Electricité de France, an overall
probabilistic goal and practical applications in terms of studies to be undertaken. The main
points of these two letters were as follows:
x Design of units including a pressurised water reactor should be such that the overall
probability of the unit causing unacceptable consequences does not exceed 10-6 per year;
x The probabilistic approach should be used for as many events as possible;
x The use of a probabilistic approach does not imply demonstration of observance of the
overall goal nor direct use of these methods in unit design. However, it can improve the
definition of the deterministic criteria used;
x Given the overall goal of 10-6, a value of 10-7 is used as the annual probability of
occurrence of unacceptable consequences for each event family for which a probabilistic
approach can be used;
307
x On the other hand, event families whose estimated frequency is clearly lower than 10-7
per year per unit shall not be taken into account;
x “Realistic” design assumptions and methods may be used to study event families whose
consideration in unit design is a result of this complementary approach;
x Simultaneous failure of redundant trains of safety-related systems should be studied in this
framework.
These principles call for some comments:
x The overall goal is set in terms of “unacceptable consequences”, which are not defined by
law or regulation. These consequences must therefore be determined politically and be
subject to modification. Practically speaking, each time a probabilistic approach is used
for an event family, a prudent well-defined goal is set in terms of avoiding unacceptable
consequences;
x For aircraft crashes, loss of integrity of buildings housing safety-related equipment shall
automatically be assumed to lead to “unacceptable consequences”;
x For the total failure of redundant systems, the “unacceptable consequence” which shall be
considered is the beginning of core uncovering, with no possibility of rewatering;
x The probability of 10-6 per year of unacceptable consequences is an “objective” maximum
value. The applicant is not required to prove that this goal is reached;
x The value of 10-7 per year is not an obligatory threshold value for an event family since
there can be compensation with other families with lower probability;
x Additional measures that may prove necessary might include procedures using systems
already existing in conventional deterministic design or additional systems.
One may be inclined to compare the consequences of the event families analyzed by
this method with fourth category operating conditions, just as one is inclined to compare the
10-7 value with the frequency interval lower limit estimated for these conditions (10-6).
However, this is an area requiring circumspection, for the operating condition table concerns
initiating events, compounded by penalising conditions such as the single failure criterion and
loss of off-site power. The probability of this load combination occurring is a priori far lower
than that attached to the initiating event alone. In this new approach, the probability is
estimated by combining the probabilities associated with each failure involved in the scenario
considered.
Complementary operating conditions
The process is applied in the following manner:
x The probability of the family of events considered is assessed;
x If the estimated probability is equal to or greater than 10-7 per year, the consequences are
assessed in the context of prevailing plant conditions;
308
x If the probability — consequences pair for a family of events is in the unacceptable area,
measures to improve the situation must be defined. This can be done by reducing the
probability or the consequences, or both.
Increased redundancy in safety-related systems comes immediately to mind, but the
gain in failure probability diminishes rapidly when the number of trains increases, due to
failures liable to affect all trains simultaneously and for the same reasons (common mode
failures). However, better use of existing equipment can lead to improvements. We shall now
discuss some examples of how these problems have been dealt with.
Anticipated transient without scram (ATWS)
American safety organizations raised in 1973 the problem of the failure of the
emergency shutdown system (scram), which involves the drop of all the reactor shutdown rod
cluster control (RCC) assemblies, during the frequent transients which trigger a scram. The
RCC assemblies drop by gravity when their holding mechanisms are de-energised. These
devices are de-energised by two series-mounted trip circuit breakers, supplied by two
independent channels. It would nonetheless appear that there is a probability of between 10-5
and 10-4 of failure of emergency shutdown for each request. Common mode failures have
been observed in the USA on emergency shutdown relays and breakers. Since this is a
relatively high probability, the results of a failure of emergency shutdown have been examined
for all cases studied of second-category incidents calling for emergency shutdown.
The most serious problems are the level of over-pressure in the primary cooling system
and continued supply of sufficient cooling to fuel rods. These studies show that if failure of
emergency shutdown is the only disturbance caused by the transient, no safety limits are
endangered.
On the other hand, detailed study of the structure of the logic of the protection system
controlling emergency shutdown revealed (in 1978) that, for certain faults in the logic, there is
also failure of the trip command for the turbine or the start-up command for steam generator
auxiliary feedwater system, because these commands are generated by the same systems as
emergency shutdown.
In the first scenario, stress levels on the primary cooling system would be close to the
maximum acceptable limits. In the second, these stresses may eventually exceed permissible
limits, when the first transient is the loss of normal water supply to steam generators. It was
therefore decided to diversify the control logic of emergency shutdown and of steam generator
auxiliary feedwater start-up and turbine trip, and even to diversify the sensors generating these
signals as of 1300 MW(e) plants, which had not been built at the time. Damaging cumulative
faults can now only come from accidental coincidences whose overall probability is
sufficiently low.
The ATWS problem is therefore considered to have been solved by such plant
modifications. It should be noted, however, that in all cases of automatic actuation of
protection or safety systems, operations teams are asked to confirm these commands
manually, hence using systems and equipment entirely independent of those used for the
initial commands.
309
Total loss of steam generator feedwater supply
During reactor operation, water supply to steam generators is ensured by the feedwater
flow control system, which recycles condensed steam after passage through the turbine. This
system, which is indispensable for electricity production, is not directly safety-related. It is not
unusual for this system to shut down completely. This is a second-category transient.
Furthermore, the original design of 900 and 1300 MW(e) plants provides for each emergency
shutdown of the reactor to stop this system and activate steam generator auxiliary feedwater
supply provided by a safety-related system.
The steam generator auxiliary feedwater system is driven by two motor-driven pumps
and one turbine-driven pump in the 900 MW(e) units and two turbine-driven pumps in the
1300 and 1400 MW(e) units. The probability of total failure of both systems is of several 10-5
per year, which justifies study of the consequences. Normal steam generator water supply
regulation was modified to reduce the predicted frequency of use of the auxiliary feedwater
system, but the overall gain was still not sufficient.
As is generally the case in the present paper, the scenario below corresponds to an
accumulation of pessimistic assumptions. The most unfavourable initial condition is also the
most frequent: the reactor is operating at nominal full power, and the loss of normal water
supply to the steam generators causes emergency shutdown of the reactor and gives the
auxiliary feedwater system start-up command after 16 seconds. It is postulated that the
auxiliary system fails to start.
As long as the steam generators contain secondary water, they remove almost all the
residual power of the core. But this level drops and the generators dry out after fifteen
minutes. As soon as there is no more secondary water in the steam generators, water in the
primary cooling system heats up rapidly and expands. As the primary cooling system pressure
rises, the pressurizer fills up. The pressurizer relief valves open, but the pressure rise in the
primary cooling circuit does not stop right away.
This pressure stabilises around 165 bar with the relief valves open. Water from the
primary cooling system gradually drains into the containment and core meltdown is inevitable,
because no signal started up the emergency core cooling system, which is normally tripped by
low pressure in the primary cooling system.
In order to prevent core meltdown, its residual heat must be removed; for this, the
pressurizer relief valves must open without fail, but the water which has leaked from the
primary cooling system must be replaced by manual starting of the safety injection system.
Finally, for safety injection to be effective, it must be started before pressure in the primary
cooling system exceed the discharge pressure of the emergency core cooling system.
In this case, the core is cooled by water from a once-through system, coming from the
emergency core cooling system and pouring into the containment (known as “feed and bleed”
cooling of the primary system). This involves a sort of chase between the increase in primary
pressure and the opening of the greatest possible number of relief vents, along with safety
injection. Operators must therefore act very quickly. If they intervene within fifteen minutes,
the core is saved and there is no clad failure. If they intervene within forty-five minutes, the
core is generally preserved but there are an increasing number of clad failures. If they
310
intervene after forty-five minutes, their action will have no effect and core meltdown is
inevitable.
There are ways to identify this accident. They include in particular various secondary
cooling water level indicators in the steam generators. These devices have been improved. But
deliberately creating a primary break, thereby contaminating the reactor building, is not an
easy decision for an operating team to take. This is confirmed by observation of the behaviour
of operators faced with this type of situation during simulator training.
The detailed study of this accident led to an operating procedure enabling core
meltdown to be avoided. Some technical measures have been taken to reduce the probability
of this accident and to help operator diagnosis.
Power transmission
Line
Auxiliary
Line
400 kV or 225 kV
225 kV or 63 kV
Turbogenerator set
Line
Transformer
900 MWe
24 kV
Unit
Transformer
TS
Auxiliary
Transformer
6,6 kV
LGA
TA
LGD
6,6 kV
LGC
LGB
A
B
LHA
Diesel generator sets
LHB
Train A
Train B
Emergency-supplied
Switchboard
FIG. 20. 900 MW(e) plant power supplies.
Total loss of power
There are many ways to supply the power needed for safety functions in French nuclear
power plants (Fig. 20).
x Two relatively independent external supplies from the national grid;
x House load operation, wherein the unit is separated from external power supplies and only
operates to supply its auxiliaries;
x Two internal supplies, each comprising a diesel-powered generator set.
311
Any one of these sources can supply all power needed for safety purposes. This power
is distributed to equipment which needs it by means of two electrical switchboards, each with
its own line. Each diesel generator is allocated to one of the switchboards. Total failure of
power supply to safety-related equipment may be caused by simultaneous failure of either all
power supplies or both electrical switchboards. The total probability of this is of a few 10-5
per year, due in almost equal proportions to failure of supplies or of switchboards. It is
therefore necessary to study the consequences.
The loss of both power supply lines causes:
x Control rods to drop;
x All motor-driven pumps to stop;
x All motorised valves to become immobilised, some in safe configurations;
x Loss of compressed air, at least after depressurisation of the buffer tanks on certain
circuits;
x Depletion of batteries and, after an hour, loss of all indications and control in the control
room.
The fact that the reactor stops due to the control rods dropping helps, initially.
Shutdown of reactor coolant pumps fitted with flywheels is provided for in case of emergency
shutdown and ensures transition of the coolant to natural circulation. Removal of residual heat
can be ensured by means of steam generators supplied by the turbine-driven auxiliary
feedwater pump(s), with steam discharged to the atmosphere.
On the other hand, the hydrodynamic seals of reactor coolant pumps will rapidly suffer
the consequences of shutdown of chemical and volume control system pumps, which inject
water at very high pressure into these seals, and shutdown of the component cooling system,
which supplies cold water to the thermal barrier which helps protect them. The result is a
significant risk that these seals will become damaged and a primary break occur. But the
safety injection system is not operative, except for the accumulator tanks, nor is containment
spraying. In a few hours, therefore, a very serious accident could occur.
It was decided to make certain modifications to installations (Fig. 21) and equipment,
and the corresponding operating procedures were added (H3):
x Use of the primary system motor-driven test pump8, which has a low flow rate, to establish
injection to the reactor coolant pump seals within two minutes. This pump is supplied by a
small emergency turbo-generator (LLS), installed on each 1300 MW(e) and 1400 MW(e)
unit and driven by steam from the steam generators (each pair of 900 MW(e) units is
equipped with a test pump and an LLS);
x Maintenance of a minimum of control and instrumentation functions, for control of
pressure and temperature in primary and secondary cooling systems, control of primary
system refill and speed control of the turbine-driven pump(s) for auxiliary supply of the
steam generator and the atmospheric steam relief valves. The small turbo-generator also
provides the supplies needed for these.
8
The test pump is used to pressurise the primary system for the regulatory start-up and periodic tests via the
reactor coolant pump seal injection lines.
312
Dump to
Instrument air
atmosphere
Tank
Turbine-driven
AFW pump
AFW Tank
Atmosphere
LLS Turbogenerator
Instrumentation
G
and Control
Atmosphere
LLS Switchboard
M
RWST
RCS
Test Pump
Reactor Coolant Pump
FIG. 21. Remedying total loss of power situations.
If water from the primary cooling system is not being discharged, the pressurizer fills
up due to the water injection to the reactor coolant pump seals. The space needed is created by
using the steam generators to cool the primary coolant, thereby causing it to contract (at the
beginning of this scenario at rated power, primary cooling water, at average temperature
286°C, has a relative density of approximately 0.7; it should be possible therefore to gain
around 100 m3). The first studies showed that it would be possible to keep the fuel in a
satisfactory condition for 20 hours under these conditions. It proved possible to extend this
period even more by optimising procedures and re-supplying the steam generator auxiliary
feedwater tank. It should be pointed out that this procedure and the associated equipment
make it possible to completely avoid damage to the fuel and significant radioactive release.
These periods are now sufficient to re-establish an external power supply from:
x A unit in house load operation on the same site;
x A neighbouring site;
x A nearby hydraulic generator set;
x Start-up of the site gas turbine or emergency diesel generator provided to supplement the
power supply possibilities of each site to improve availability;
x Connection of the back-up electrical switchboards to the diesel generator of a
neighbouring unit;
x Bypassing the inoperable electrical switchboards by means of the connection harnesses
used during routine testing.
313
All units in service are now equipped with these systems and the problems of reliability
of the additional equipment are gradually being solved.
List of complementary procedures
We have just seen in detail three accident situations where probabilistic studies led to
additional provisions. These are not the only ones. We shall only discuss the remaining ones
quickly, after giving the list of those accompanied by operating procedures:
x H1: Loss of the heat sink or systems ensuring heat transfer to it;
x H2: Total loss of water supply to steam generators;
x H3: Total loss of power;
x H4: Loss of the safety injection system or the containment spray system, during the longterm period following a LOCA type accident.
x H5: Protection of certain river sites against floods higher than the thousand-year flood.
Total loss of the heat sink
Available site water reserves, and the procedures used to re-supply the steam generator
auxiliary feedwater tank, ensure sufficient time to restore the heat sink, or actuate the systems
ensuring heat transfer to it, when the primary cooling system is pressurised. The procedures
indicate what to do in various situations, whether the reactor be power operating or shut down.
Total loss of the safety injection system or the containment spray system
The accident which occurred at the Three Mile Island reactor confirmed the need and
also the difficulty of keeping active for months systems rendered inaccessible for maintenance
or repair by the radioactivity of the fluid they contain. Probabilistic checks confirmed that the
probability of pumping system failure over a period of several months could not be
overlooked. The two particular systems involved each had two pumps, one of which was
sufficient. These four pumps have similar characteristics. The installation of connections
between the two systems ensure mutual back-up. These connections must, of course, be fitted
in advance on systems not yet contaminated.
Procedure U3 concerns total failure of all pumps. It mainly consists in prefitted
connections accessible after a LOCA, enabling use of a pumping system and, if required, a
heat exchanger, which are not routine plant equipment but can be brought to the site in the
event of an emergency. These devices, together with associated radiation protection
provisions, are designed to enable intervention, for example, two weeks after a major primary
break.
Like the I procedures (for Incident) and A procedures (for Accident), derived from the
event-oriented deterministic approach, the goal of the H procedures is to prevent or limit
damage to fuel.
314
It is important to bear in mind that, given the manner in which the scenarios and
corresponding probabilities are determined, the first three H procedures cover events which
are far more likely to occur than major primary or secondary system breaks for example, even
though attention was drawn to them at a later date.
The H procedures, by organizing in advance optimal use of all equipment provided in
the deterministic context or of relatively little additional equipment, make it possible to
prevent clad failures in the situations concerned, thereby supporting the first and third levels
of defence in depth.
315
Appendix III
PREPARATION FOR THE MANAGEMENT OF SEVERE ACCIDENTS
Environmental release due to the Three Mile Island accident was very slight owing to
the satisfactory performance of the reactor containment. However, both those directly
responsible for the plant and the local and federal authorities were unsure for several days how
the situation was going to develop and were considering evacuating populations. Finally, it
was decided to evacuate only pregnant women, which in fact proved to have been
unnecessary. This event made it evident that means had to be provided for the systematic
management of such situations should they reoccur despite improved preventive measures.
This proved that the reactor containment behave well under conditions well outside the
design basis spectrum. This also suggests that when planning to deal with such accidents one
needs robust designs and must provide tools for forecast ways in which the situation could
develop, indicate corresponding release breakdowns and the paths to the environment under
the specific conditions of the accident considered. All authorities concerned would then be
able to make timely and well adapted decisions for the protection of populations and the
environment. These aspects will be investigated in this and the next two Sections.
Before assessing containment behaviour, we have to consider the successive physical
phenomena liable to occur in a pressurized water power reactor during what is known as a
“severe accident”, i.e. an accident the potential consequences of which exceed those of design
basis accidents. Before such conditions could be reached, the fuel would presumably have had
to be significantly degraded by more or less complete core meltdown.
Core and vessel degradation
The sequence of events which would occur under conditions corresponding to the total
failure to respond of these two safeguard systems and of other core meltdown prevention
procedures are considered further below.
Core dewatering
There are two categories of primary system drainage situations:
x Primary system breaks, causing core dewatering at a relatively low pressure, a few tens of
bar at most;
x Failure of secondary system cooling procedures, resulting in water and steam dumping
through the pressurizer relief valves, inducing core dewatering at high pressure, in the
vicinity of the normal operating pressure.
Depending on the initial condition, the size of the break, the accident sequence, the
safeguard system failure level, dewatering may take from less than a minute to several hours
or even days. For example, a 5 cm diameter hole on a main primary system pipe would result
in fuel uncovering in 30 minutes if no safety injection were available.
316
Fuel degradation
As the water level recedes, the temperature of the uncovered part of the core rises due
to the residual power. The zircaloy cladding, which is at a temperature of 350°C or less under
normal operating conditions, starts deforming at between 700 and 900°C. If the pressure in the
vessel is low, the cladding swells and bursts. If this pressure is high, it collapses onto the fuel
pellets, facilitating the formation of a eutectic UO2-Zr which melts at around 1200 to 1400°C.
In both these cases, the volatile fission products which have accumulated in the clad-pellet
gap are released into the primary system.
The zirconium in the cladding oxidises upon contact with the steam. The kinetics of
this phenomenon increase rapidly with temperature and double every 50°C. But it must be
borne in mind that :
x This is an exothermic reaction, generating its own heat as it progresses which means that
the phenomenon is also divergent;
x The reaction releases hydrogen9 to the primary system and then to the containment. This
will considerably reduce the cooling capacity of the steam generators and generate a risk
of hydrogen combustion within the containment;
x The cladding is embrittled, which accelerates its destruction in the event of a thermal
shock.
When the fuel pellet temperature increases, the fission product release kinetics
increase. At between about 1300 and 2200°C, the control rods constituents (silver, indium and
cadmium) melt and vaporise. At around 1800°C, the oxidised part of the cladding will melt
and begin to flow.
It is not until a temperature of 2700 to 2800°C is reached that, unless a eutectic is
formed with the zirconium, that the uranium oxide itself melts, thereby inducing loss of core
geometry by local, and then general, collapse. This will give rise to formation of the first
corium, which is a molten mass of fuel and structural materials, held in their molten condition
by the residual heat of the fission products. Practically all of the most volatile fission products
have at this point escaped from the fuel.
Vessel degradation
The collapse of the core components induces the sudden vaporisation of any water
remaining at the bottom of the vessel, more or less closely followed, depending on the primary
system pressure, by perforation of the vessel bottom head. This can take a few tens of minutes
or several hours. If the primary system is pressurised, the corium may be dispersed on leaving
the vessel. This could facilitate a further sudden interaction with any water at the bottom of
the vessel. However; in all cases, it is postulated for accident management studies that all the
corium collects in the bottom of the vessel.
9
The oxidizing of 1 kilogram of Zircaloy produces about half a cubic meter of hydrogen at normal pressure and
temperature. Considering the quantities of zirconium present in each type of installation, this corresponds to the
production of about 1 kilogram of hydrogen per MW(e).
317
Basemat erosion
The basemat concrete then decomposes under the thermal effects of the residual heat
released from the corium, increased to begin with by heat from the oxidation of metals, such
as the vessel steel or the remaining zirconium. The free water, bound water and carbon
dioxide gas contained in the concrete will be released and penetrate the corium, where they
will contribute to the oxidation of any remaining metal materials and the production of
hydrogen and carbon monoxide, both of which are combustible. The calcium and silica oxides
will be gradually integrated into the corium.
As soon as the oxidation reaction is over, the corium will gradually cool. The
temperature of the oxide phase containing the main non-volatile radioactive products will
stabilise for a long period at between 1300 and 2200°C when a near-equilibrium is reached
between the residual heat and the thermal losses at the corium surface and the corium-concrete
interface. If a denser metal phase remains, it will contain few radioactive products. It will cool
faster and solidify within a few hours, thereby slowing down the progression of the corium.
So the fast basemat erosion phase would last about an hour and would correspond to
concrete degradation to a depth of about 1 meter (Table XVIII). The rate of degradation would
then decrease to a few centimetres per hour, strongly influenced by the specific properties of
concrete.
Further penetration stops when the corium-concrete interface temperature falls below
the concrete decomposition temperature, which is about 1100°C. However, basemat meltthrough is considered almost inevitable. The corium would then stop after penetrating a few
meters into the subsoil. As its residual heat decreases and the volume deposited beneath the
foundations increases, it then cools by thermal conduction and solidifies.
TABLE XVIII. BASEMAT EROSION KINETICS
Penetration depth
Minimum time
Maximum time
2m
0.8 d
1.4 d
3m
1.5 d
2.9 d
4m
2.5 d
2.3 d
5m
3.8 d
6.2 d
Complementary studies have been undertaken to investigate basemat fast cracking
hazards related to the thermal shock caused by contact with the corium.
The Rasmussen report
At the request of the American safety authorities, Professor Norman C. Rasmussen of
the Massachusetts Institute of Technology (MIT), conducted from 1972 to 1975 a scientific
investigation into hazards created by the use of nuclear power reactors. This overall survey
based on earlier studies gave a systematic analysis of accident scenarios and was aimed at
defining a relationship between accident probabilities and resulting numbers of deaths. The
Rasmussen report, published in 1975 under the references WASH 1400 and NUREG 75-014,
is still the basis of all PWR severe accident studies. It is also the first example of a
probabilistic safety study giving figures for the probable impact on the population.
The French Safety Authorities took an immediate interest in this survey, less from the
standpoint of the probabilities and consequences for populations, which involve considerable
318
uncertainties, than with regard to the aspects dealing with reactor core degradation and the
behaviour of a reactor containment. The Three Mile Island accident obviously further
stimulated discussions on these subjects and caused the various nuclear participants in France
to move on from theoretical assessments to the implementation of practical measures. That
accident clearly demonstrated the value of having a well-designed containment to protect both
the public and the environment. The Chernobyl accident, an unfortunate example of core
degradation with unconfined radioactive release, only serves to reinforce this conviction.
The Rasmussen containment failure mode classification is still used and comprises six
main modes:
x Mode D: steam explosion in the vessel or reactor pit, inducing loss of containment
integrity in the short term;
x Mode E: initial or fast-induced loss of integrity;
x Mode J: hydrogen explosion;
x Mode G: slow over pressurization;
x Mode H: basemat melt-through by the corium.
Mode V, which bypasses the containment using outgoing pipes, is dealt with
separately, since it does not directly concern the behaviour of the containment building.
All except mode E, (and Mode V) result eventually in formation of corium and rupture
of the reactor pressure vessel, unless the molten fuel becomes dispersed.
It should be borne in mind that with the fuel enrichment proportions adopted for
nuclear power plants equipped with light water reactors, a chain reaction cannot take place
without the right moderator geometry. On the other hand, a very small number of fuel
elements, having maintained their geometry while submerged in pure water, can constitute a
critical configuration. Whatever the size and geometry of the compact corium, reverting to
criticality should not be possible. However, investigations are still proceeding into other
possible unforeseen configurations and specific mixtures.
The Rasmussen report describes a large number of special sequences, grouped in
families, all related to the technology of the American reactors which provided the basis for
studies and know-how at that time. Systematic discussion of that work is not relevant here
because they do not deal with reactivity accidents characterised by high speed kinetics.
Thorough analysis of the Rasmussen report in terms of the French nuclear units started
in 1975. It was, from the outset, mainly focused on the definition of a means of limiting the
consequences of severe accidents. It was organized around two complementary topics:
x Simplified characteristics of types of release;
x Analysis of failure modes and provisions to deal with them.
319
Deeper insight together with the probabilistic safety studies enable initial trends to be
brought into line with more realistic views and solutions, which will gradually be taken into
account.
Source terms
The institute for protection and nuclear safety (IPSN) sought to characterize specific
types of release called “source terms”. A source term is a specific type of release characteristic
of a reactor family representative of a type of accident, i.e. in general, a mode of containment
failure following complete core meltdown. It is taken into consideration to define appropriate
corrective actions for the protection of populations under these extreme emergency conditions.
There are three source terms, listed below in decreasing order of seriousness:
x Source term S1 corresponds to early containment failure a few hours after onset of the
accident;
x Source term S2 corresponds to direct release to the atmosphere following loss of
containment integrity one or several days after accident initiation;
x Source term S3 corresponds to indirect, delayed release to the atmosphere.
These studies were underway at the time of the Three Mile Island accident. Provisional
values which would have been smoothed became set values, which explains the inappropriate
precision of certain figures (Table XIX).
As in the Rasmussen survey, assessments were aimed at reality. The purpose here was
not to provide a safety demonstration based on penalising assumptions, but to optimise plants
where basic design has been definitely adopted or to define organizational procedures for the
protection of the general public. However, each source term covers, by definition, a certain
number of possible scenarios. The values retained in this context are presented as percentages
of the initial activity of the radioactive products present in the reactor core:
Modes D, E and J without prevention and mitigation provisions could lead to S1 type
release. Mode G could lead to S2 type release. Mode H, loss of containment integrity by
basemat melt-through, could lead to S3 type release.
TABLE XIX. PERCENTAGE OF RADIOACTIVE PRODUCTS RELEASED TO THE
ATMOSPHERE.
Source term
Noble gases
Mineral iodine
Organic iodine
Caesium
Tellurium
Strontium
Ruthenium
Lanthanides and Actinides
320
S1
80
60
0.7
40
8
5
2
0.3
S2
75
2.7
0.55
5.5
5.5
0.6
0.5
0.08
S3
75
0.3
0.55
0.35
0.35
0.04
0.03
0.005
Uncertainties remain as to iodine and aerosol behaviour, despite the continued
implementation of large scale experimental research programmes. The gradual improvement
of our knowledge in these areas could ultimately modify the source terms presently defined. It
would also lead to design optimisation for future reactors where the defence in depth
provisions would enhance prevention of substantial radioactive release.
Severe accident management studies in France
In tandem with the definition of source terms, the French study programmes included
examination of each of the Rasmussen degradation modes to determine their relevance to
French plants and define ways of lessening the probability or consequences by reinforcing the
final containment barrier. For there may be simple means of preserving or restoring
containment integrity, but these could only be used under particularly difficult conditions if
their implementation had been thoroughly prepared beforehand.
The different failure modes were then considered under conditions postulated in the
light of the Rasmussen report and discussions on the French standardized power plants. The
following scenario was thus postulated, for instance: with primary system cooling no longer
assured, the system drains, the core melts and penetrates through the bottom of the vessel in
about 2 hours. The basemat is eroded by the corium produced, which finally melts through it.
The kinetics of this accident are relatively slow. This scenario could correspond to that of a
large primary break compounded by total loss of safety injection and containment spray
capability.
Incidents or anomalies observed in France show that simultaneous failure of the pumps
actuating these two systems is reasonably likely. Several incidents and non-conformance
could be possible precursors. An example happened with the sump filter anomaly observed on
the 1300 MW(e) units. Incompatible lubricants had been used for the safety injection pump
seal oil but was not detected by routine checks. They were detected in the course of inspection
or maintenance operations — confirming the importance and efficiency of the latter — and
were of course corrected. Such anomalies on their own could not cause a primary system
break but could have worsened the effects if one had happened.
However, the probability of the type of scenario described would not seem high enough
to call into question the design basis of the plants concerned. But, on grounds of defence in
depth, we nevertheless do our utmost to improve the possibilities offered for the practical
control of such situations, based on realistic scenarios. The Rasmussen containment
degradation modes are being re-examined on this basis with a view to determining their
plausibility and defining possible improvements in the framework of a given design basis.
These studies are based on knowledge which is still very limited. This justifies the
organization and pursuance of experimental work in difficult fields. Although results are still
pending, decisions nevertheless have to be made. The solutions adopted in this context are
consequently not given the same quality level and degree of certainty as were obtained for the
original design studies. This is one of the basic characteristics of severe accident management
studies. It will obviously evolve as new data becomes available.
In 1981, EDF was asked to define ultimate emergency procedures designed to prevent
or minimise the radiological consequences of severe accidents. Provisions in this respect have
been progressively proposed by the national utility and their principles accepted by the safety
321
authorities. All French plants have now been equipped accordingly. However, greater insight
into these questions and continued research could result in further modifications
Loss of containment integrity due to a steam explosion
The Rasmussen mode D scenario is as follows: a large primary system break occurs
and neither the safety injection nor the containment spray systems are operable. After 1 to 2
hours, the core melts and drops either into the bottom of the vessel or through the vessel into
the reactor pit. In both cases, if the corium is sufficiently dispersed and if there is water in the
bottom of the vessel or of the reactor pit, a steam explosion could occur upon contact with the
water, releasing sufficient energy to project missiles which could impair containment
integrity. Mode D thus implies considerable dispersion of the fuel for the heat transfer area
between the hot fuel and the water to be large enough to cause a steam explosion and also
requires a sufficient quantity of water. On the basis of the scenarios described, this occurrence
seems highly unlikely, but with the present state of the art, this cannot be demonstrated.
Studies are still proceeding, but experts assembled by the OECD considered loss of
containment integrity due to this phenomenon to be sufficiently unlikely and this mode was
dropped from the French study programmes.
It was not until the Chernobyl accident and the reopening of criticality accident study
programmes that this mode came back to the forefront in the context of entirely different
scenarios (fast introduction into the core of a sufficient volume of non borated water in hot
shutdown conditions). The kinetics of the phenomenon are, in any case, too sudden for
accident management procedures to be of any assistance. As a result, such severe criticality
accidents must be convincingly avoided by preventive measures.
Containment isolation faults
Containment integrity is monitored continuously monitored by comparing the
containment gas injection rate (leaks from compressed gas systems or valve motion in
response to use of these gases) with internal pressure changes. Routine tests on the
containment penetration isolation valves confirm that they are operating correctly.
Pressurisation of the containment at start-up and every ten years enables its leak rate to be
compared with the specified values. These provisions should suffice to preclude any serious
isolation faults prior to the accident. Leaks can however occur if the automatic isolation of the
various penetrations under accident conditions fails to operate correctly or if the air locks are
defective. This loss of containment integrity mode, mode E, is extremely important, since it
can lead to radioactive release to the environment very early on in the accident. The short time
interval involved is not sufficient for radioactive decay and deposition in the containment to
play a role, nor for the public authorities to take steps for the short term protection of
populations in the immediate vicinity of the plant.
In order to deal with such situations, EDF developed its procedure in the event of a
containment isolation fault named U2. The purpose of this procedure is to monitor
containment integrity under accident conditions, as soon as a certain level of radioactivity is
detected in the containment, even for minor accidents, and to identify and localise any defects,
providing, if possible, remedial action. This procedure supplements the continuous monitoring
of the containment leak rate under normal operating conditions.
322
U2 comprises a set of actions defining:
x Containment surveillance conditions, by measuring radioactivity released from the stack,
present in the sumps or in peripheral facilities and their ventilation ductwork, and by
verification of the condition of isolation valves;
x The types of action to be taken, such as confirmation of isolation commands, the
localisation of leaks and the determination of how to eliminate them, the containment of a
room or, at a later stage, the return of liquid wastes to the reactor building.
With all these different precautions, it should be possible to restrict short term release
to values defined for design basis accidents.
Hydrogen production and combustion
In the description of LOCA accidents, we mentioned the risk of a water-zirconium
reaction, producing both energy and hydrogen. In the context of 4th category accidents, it is
stipulated that clad temperature shall not exceed 1204°C and that the reaction shall not
involve more than 1% of the zirconium. In the circumstances considered, since core meltdown
is postulated together with formation of corium, it must be assumed that much of the
zirconium in the core will have reacted with water and released hydrogen, according to
mechanisms described at the beginning of this Section.
As long as this hydrogen remains in the primary system, it cannot burn because there is
no free oxygen. This is no longer the case if it reaches the containment atmosphere. However,
for there to be an explosion, there has to be an appropriate blend of hydrogen, air and steam
(see SHAPIRO chart, Fig. 22). Combustion also requires a detonator.
Metal corrosion in the containment, radiolysis10 of sump water and corium-concrete
interaction are also sources of hydrogen, but the quantities produced by the first two
phenomena are slight. Corium-concrete interaction, on the other hand, can produce in 48
hours a quantity of hydrogen equivalent to that resulting from a zirconium reaction.
Mode J corresponds to loss of containment integrity due to a hydrogen and carbon
monoxide explosion in the reactor containment. In fact, we have to differentiate between two
types of fast combustion: deflagration and detonation, the conditions and consequences of
which are very different.
Deflagration
A deflagration is a form of combustion which, once initiated, is propagated through the
mixture by gas conduction heating and diffusion of free radicals in the unburned gas area.
Propagation occurs at a speed of several meters per second. It can be triggered with relatively
low proportions of hydrogen (the SHAPIRO chart gives a threshold of about 4% in dry air).
The initiating energy level required is slight, less than 1 milliJoule. A hot spot of about 500°C
can trigger spontaneous ignition if there is no steam. On the other hand, beyond a steam
concentration of 50 to 60%, there is no risk of deflagration.
10
Radiation-induced decomposition of water into free hydrogen and oxygen.
323
100
Air (% mole)
Detonation Limits
80
20
40
60
Deflagration Limits
60
40
1 bar - 30°C
1 bar - 150°C
8 bar - 150°C
20
80
H2O (% mole)
100
100
80
60
40
20
H2 (% mole)
FIG. 22. Shapiro chart. Ignitibility limits for the H2–H2O–Air mixture.
The mean containment concentrations reached under accident conditions having
induced major zirconium-steam reactions are sufficient for hydrogen deflagration providing
there is no inerting effect from steam. Such deflagrations occur extremely fast, and long
before there has been any significant contribution from the reaction between the corium and
the basemat, which means that the two modes of hydrogen production would be disconnected.
The immediate or delayed operation of the containment spray system, which will lead to
condensation of the steam in the containment, would have a significant effect on triggering a
deflagration.
If we postulate the combustion of all the hydrogen produced by oxidation of all
zirconium present in the vessel in a single deflagration, the maximum instantaneous pressure
reached in the containment would not suffice to crack the liner of a 900 MW(e) unit, at least
where there are no discontinuities, so overall leak tightness would be preserved.
Such an incident could, on the other hand, cause at least transient through-wall
cracking in the 1300 MW(e) unit inner containment (the concrete is prestressed), although
sufficient margins would be preserved with respect to structural failure. Table XX presents
pressures calculated under adiabatic conditions, but also taking into account heat exchanges
with the structures, which is more realistic.
The effects of concrete thermal stressing are under investigation. It is indispensable to
ensure in all cases that isolation valves and electric cable penetrations remain unimpaired.
It should be borne in mind that this table is based on two postulates: reaction of all
vessel zirconium with the water and combustion of the hydrogen produced in a single
deflagration. In the majority of cases, the hydrogen would progressively exit the core soon as
it is produced, entrained in the escaping primary fluid. There could then be several successive
deflagrations, none of which could cause an over pressure that would damage the
containment.
324
TABLE XX. H2 PRODUCTION AND CONTAINMENT CHARACTERISTICS
Standardized plant series
Free volume (m3)
Zircaloy mass (kg)
H2 produced by 100% oxidation
(TPN m3)
Mean H2 concentration in a dry
atmosphere
Design basis pressure
Through-wall cracking limit
Collapse limit
Maximum deflagration pressure
under adiabatic conditions
Maximum deflagration pressure
with heat exchanges
*
CP 0
46 000
19 820
9 766
CP 1-2
50 400
21 600
10 651
P4
81 500
27 920
13 765
P’4
70 440
27 920
13 765
N4
73 000
29 660
14 623
19.1%
19.3%
22.8%
17.8%
18.2%
4.7 bar*
5 bar
13 bar
10.7 bar
4.8 bar
7.5 bar
10.4 bar
8.95 bar
5.2 bar
8.1 bar
11.8 bar
9.75 bar
5.3 bar
8.3 bar
11.8 bar
9.75 bar
9.2 bar
7.6 bar
8.3 bar
8.3 bar
< 9.2 bar
The pressures are indicated in absolute values.
It is interesting to note in this connection that the possibility is being considered of
equipping containments with an appropriately sized catalytic recombination system for
removal of free hydrogen before deflagration concentrations could be reached.
Detonation
A detonation is a form of combustion occurring at the interface between supersonic
shock waves and the unburned gas compression wave, producing a chemical reaction. A
detonation implies far higher hydrogen concentrations than a deflagration. The SHAPIRO
chart defines the detonation range as between 18 and 55% of hydrogen in dry air. Recent
experiments show that the threshold would be lower for very large volumes. The required
initiating energy depends on H2 concentration very much.
The presence of steam raises both the concentration threshold and the initiating energy
requirements. But it is logical to assume that a considerable proportion of the primary system
water will be in the containment following core meltdown. At least part of the 300 or 400 m3
of water would certainly be there, in the form of steam, especially if the containment spray
system is inoperable. If this system had been working, there would have been a deflagration,
and would not apply to a loss of core cooling resulting from major primary coolant leakage
outside the containment. But in this case, it would seem probable that the hydrogen would be
entrained to the atmosphere, as would the volatile fission products.
The 900 MW(e) reactor containment has the highest theoretical hydrogen
concentrations. They are located towards the lower detonation limit of the Shapiro chart. They
would be diminished by the presence of steam.
In the course of experiments, flame acceleration mechanisms have been observed in
pipes featuring discontinuities, able to induce transition from deflagration to detonation, but
these results are difficult to extrapolate to the dimensions of a containment. Studies are
proceeding to determine the characteristic dimension beyond which the phenomenon
disappears and also the consequences of a detonation in a bunkered area.
325
1.00E+06
30 % steam
Initiation energy in kJ
1.00E+05
20 % steam
1.00E+04
1.00E+03
1.00E+02
10 % steam
1.00E+01
1.00E+00
10
20
30
40
50
60
70
Hydrogen percentage in volume
FIG. 23. Energy required to initiate a detonation in an unconfined atmosphere.
All things considered, the probability of loss of containment integrity due to hydrogen
combustion seems slight. At the present time, no accident provisions are made in this respect.
There is consequently no special procedure for these circumstances. However, complementary
investigations are still proceeding, notably concerning the conditions under which the various
gases mix, the risks of stratification and local hydrogen concentrations and also the degree to
which containment strength is affected by the differences in reinforced concrete densities.
Slow pressure buildups in the containment
Mode G corresponds to a longer term containment failure caused by overheating of the
containment atmosphere caused by inefficient removal of fission product energy and the
gradual release of very large quantities of gas during damage to the foundations caused by
corium melt-through. These gases could also be accompanied by steam from the water used to
try and impede the corium advance by cooling it. In these circumstances, the containment
pressure could rise steadily, reaching the design basis limit after about 24 hours and then
continuing relentlessly beyond.
It was decided to deal with the possibility of irremediable loss of containment integrity
by over pressure by providing a containment pressure control device, consisting of a filtered
venting system designed for use when required:
To restrict containment pressure to the design basis value;
To reduce by a factor of at least 10 the aerosols contained in the gases released;
To route the filtered gases to the stack which is equipped to monitor their radioactivity and
facilitate their atmospheric dispersion.
326
The solution adopted consists in using a containment penetration initially intended for
depressurisation purposes during acceptance pressure tests and the subsequent routine leak
tests. A set of valves, a pressure-reducing device and a sand bed filter package, 42 m2 in face
area and 80 cm deep, are fitted between this penetration and the stack. Later on, it was decided
to install a prefiltration package inside the containment to solve, among other, radiation
protection problems.
The U5 procedure “containment depressurization” only would be implemented under
severe accident conditions after close consultation with the EDF central services and the
public authorities.
Early release paths through the basemat
The vessel failure postulated in severe accident studies results in the corium falling
through to the bottom of the reactor pit. We described at the beginning of this Section various
physical events related to erosion by thermal phenomena. Mode H corresponds to basemat
“rupture” after its complete melt-through by the corium. This would require between one and
several days, depending on the basemat characteristics (4.20 m for the standardized
900 MW(e) units and 3 m for the 1300 and 1400 MW(e) units). This period would allow the
decay of short-lived radioactive products and the deposition of many others on the
containment walls or in the sump.
If the corium fell through the basemat, it would soon stop in the soil beneath, but the
groundwater could eventually be polluted by leaching processes11. Solutions include drilling a
system of shafts round the affected unit, equipped with pumps to prevent the transfer of
contaminated water to bleeding points, rivers or the sea. Any water at the bottom of the
containment, injected to try and cool the corium, would be heavily laden with radioactive
products and could pour out into the soil through the hole in the basemat, as could the
containment gases forced out by the internal pressure. It could prove more difficult to confine
such contamination. The atmospheric release would nevertheless be bounded by source term
S3.
So far, we have not discussed the various holes in the foundations which could be
affected by the corium and provide outlets for the pressurised gases in the containment. All
light water reactor buildings comprise dynamic testing systems, designed to monitor basemat
deformation with time, especially during containment pressurisation for periodic strength and
tightness tests. These devices are located 1 m below the basemat surface in the 1300 MW(e)
units and 1.70 m below in the 900 MW(e) units (Fig. 24). The 1300 MW(e) units are equipped
in addition with a basemat drainage system, located 2 m below the surface.
Compensatory measures were consequently defined and were the subject of procedure
U4: “handling early release paths through the basemats”. Since then, sealing systems,
plugging beneath the reactor pit and permanent obstructions have been installed. No further
action is required of the operators on this particular point, so that procedure U4 in fact no
longer exists. The modifications installed are aimed at taking advantage of radioactive decay
and ground filtration in the event of basemat perforation and extending the time available to
make the necessary off-site provisions.
11
Washing of free surfaces leading to extraction of soluble products.
327
Containment spray
Tank
Containment
G
J
CO2 CO
Heat
exchanger
H2O
Sand
Filter
Stack
H2
Fission
Products
D
Filter
E
Sumps
Auxiliary Buildings
Ventilation
ducts
Drains
H
FIG. 24. Rasmussen containment failure modes.
Identification and analysis of other scenarios
We have discussed the impact of the Rasmussen report as an initiator of severe
accident studies in France and in most of the countries using nuclear power. However, the
investigations are not restricted to analysis of the containment failure modes described in the
report. We have already mentioned the risks of direct release to the atmosphere due to
mishandled steam generator tube break sequences. The possibility of other direct release paths
bypassing the containment, is being carefully examined with a view to defining
complementary preventive measures and protective actions if and when required.
Mode V corresponds to such cases, postulating significant direct leaks in peripheral
buildings, due to defective tightness of the safety injection system check valves. Another
containment bypass has been identified on French plants. It is related to the fact that the
reactor cavity and spent fuel pit cooling and treatment system, which is outside the
containment and not pressure-resistant, is connected to the residual heat removal system,
which is designed to withstand 40 bar pressures. Structural provisions, together with special
surveillance and procedures combine to make this risk sufficiently improbable.
Radiological consequences of source term S3 and intervention provisions
On the basis of the accident studies presented above and providing the ultimate
emergency procedures are implemented, “maximum plausible release” values are bounded by
source term S3. The radiological consequences corresponding to this source term have been
assessed and population protection measures examined in the light of these consequences.
Since we are no longer in a design basis context, the assessment was not based on a recent set
of charts derived from the Doury charts, designed to deal with realistic and varied situations.
These charts take into account atmospheric stability, wind speed and rain.
328
To calculate them, it was considered that source term S3 could be represented by a
scenario involving a sand filter which would enable containment depressurisation within
24 hours, with release beginning 24 hours after onset of the accident. During the first 24
hours, a containment leak rate of 0.3% per day of the mass contained is postulated, with half
of this leakage escaping directly to the atmosphere, the other half being recovered and filtered
with a 100 factor efficiency.
Whole body dose equivalent due to external exposure (Sv)
1
Evacuation almost always justified
0.1
Sheltering almost always justified
3
0.01
1
2
0.001
1
10
100
Distance from the release point (in km)
FIG. 25. Radiological consequences due to source term S3.
Three types of weather conditions were considered:
(1) Normal diffusion, wind of 5 m/s, no rain (ND5d).
(2) Normal diffusion, wind of 5 m/s, rain at 1 mm/h (ND5r).
(3) Low diffusion, wind of 2 m/s, no rain (LD2).
The graphs show results obtained for:
x Whole body dose equivalent due to the plume compounded by ground deposits;
x Thyroid dose equivalents due to iodine.
These results have now to be compared with the possibilities of implementation of
protective measures for the general public. For this, we shall consider the recommendations
formulated by the International Commission on Radiological Protection before assessing the
possibilities of intervention by civil security teams in areas around the sites.
ICRP recommendations for accident situations
The International Commission for Radiological Protection proposed in its publication
63, released in 1993, a procedure ensuring population protection under accident conditions
(Table XXI). The procedure defines intervention levels mainly concerning evacuation and
confinement indoors, accompanied by the distribution of stable iodine, but is so devised as to
be open to constant improvement. Evacuation, confinement indoors or the administration of
stable iodine can obviously involve drawbacks with respect to the physical or psychological
well-being of the populations concerned or those assigned with implementing these measures.
Such drawbacks also have to be carefully weighed up. The same caution applies when
considering restrictions on the consumption of certain foodstuffs.
329
Thyroid dose equivalent (Sv)
10
Evacuation almost systematically justified
1
Sheltering almost systematically justified
3
0.1
1
2
0.01
1
10
100
Distance from the release point (in km)
FIG. 26. Radiological consequences due to source term S3.
TABLE XXI. ICRP PUBLICATION 63 RECOMMENDATIONS.
Intervention level of averted dose
Type of intervention
Almost always justified
Range of optimized values
Sheltering
50 mSv
Administration of stable
iodine
500 mSv(equivalent dose to
thyroid)
Evacuation (< 1 week)
Whole body dose
500 mSv
Equivalent dose to skin
5000 mSv
Relocation
1000 mSv
5–22 mSv per month
for prolonged exposure
Restrictions on a single
foodstuff
10 mSv (in 1 year)
1000 to 10,000 Bq/kg (E J
emitters)
10 to 100 Bq/kg (D emitters)
330
Not more than a factor of 10
lower than the justified value
The yardstick for intervention is the dose averted by the implementation of the
protective action. The indications in the above table are accompanied by cautious
considerations making full allowance for optimization. So the indications on the two graphs
representing the radiological consequences associated with source term S3 are to be
considered with prudence.
Scope of civil security interventions
Since the beginning of the eighties, the public authorities have also been working on
the definition of realistic ways of implementing protective measures for populations in the
vicinity of nuclear sites. They have estimated that, given the characteristics of the French sites,
they could implement the following provisions within 12 to 24 hours after the onset of an
accident:
x Evacuating the population in a 5 km radius round the site;
x Sheltering (confinement indoors) of the population in a 5–10 km radius round the site.
Complementary measures would, of course, be envisaged for the longer term. It is clear
from comparison that this degree of intervention would provide satisfactory protection in the
event of a release not exceeding source term S3. The onsite severe accident procedures are
consequently consistent with the population protection provisions, with respect to
recommendations currently in force. It should also be noted that, since the Chernobyl accident,
greater attention is paid to the social and economic disturbances created by longer term
problems, such as those resulting from food chain contamination.
The foodstuff marketing limits defined by the CEC following this accident are
extremely penalising, but have no actual health physics signification. With release
corresponding to source term S3, these limits would have to be applied at considerable
distances from the damaged plant for more or less long periods of time. This is a
preoccupation which will lead to “maximum plausible release” figures being more stringently
limited for future reactors.
List of ultimate emergency procedures
Although its identification initially classifies it in the ultimate emergency series,
procedure U3: “use of mobile facilities to back up safety injection and containment spraying”,
does not correspond to containment protection after core meltdown. On the contrary, it is
designed to prevent or limit this occurrence. As an extension to procedure H4, which provides
for mutual backup of the permanently installed pumps used for the low head safety injection
and containment spray systems, procedure U3 is used in the event of total loss of these pumps.
Basically, it consists of pre-installed connection devices, accessible after an accident, which
would enable the use of pumping facilities and a heat exchanger if necessary which are not
permanently installed in the units. The capacity of the equipment provided for and the
radiological protection afforded would enable intervention 15 days after a large primary break,
for example, although it is hoped that this period could be shortened without having to
consider the possibility of restoring containment spraying in the short term. The existence of
the H4-U3 facilities consequently does not affect the phenomena we have just described, since
they are aimed at core meltdown prevention.
331
There are two more procedures:
x U2: procedure in the event of a containment isolation fault.
x U5: containment depressurisation.
Summary of procedures
Table XXII summarizes the relationship between the various categories of operating
conditions and the procedures and provisions to contend with them. This only applies to
900MW(e) units nowadays, as French 1300 MW(e) and 1400 MW(e) units are now equipped
with a global symptom oriented approach which covers the complete area without
discontinuity. In the future, the 900 MW(e) units will benefit from the same system.
In addition to these procedures, the severe accident intervention guide used by the
emergency teams resolves possible contradictions between actions required by the different
procedures.
In order to safeguard the reactor core, water has to be injected by all available means to
flood the fuel, even though this water can have undesirable effects on the containment
pressure level. Similarly, restarting containment spraying will lower the steam concentration
but could have adverse effects with regard to deflagration hazards. The guide indicates current
thinking in this area and advises operators accordingly. It also contains decision elements as to
whether procedure U5 should be used.
TABLE XXII. PROCEDURE APPLICATION RANGES.
Order of magnitude
Design basis
of frequencies
operating range.
or probabilities
Estimated frequencies
of initiating events
Likely or frequent
10-2 to 1
10-4 to 10-2
10-6 to 10-4
< 10-6
Complementary
operating range.
Realistic
probabilities
Ultimate procedure application
range
I
A
A
U1
U2
H
U1
U2
H
U1
U2
U3
U4
U5
Internal emergency plan
The actions described above are part of a more comprehensive plan, broadly applicable
to all nuclear installations and known as the Internal Emergency Plan. This plan provides the
link between the damaged plant and the outside emergency teams whose action is organized
by the external emergency plan. The internal emergency plan is applied on the site under the
responsibility of the operating organization.
332
Its main purposes are to ensure:
x
x
x
x
Plant control and safeguards;
Emergency aid for any site casualties;
Protection for site personnel;
Warning and information of the public authorities.
The local crisis organization is conducted from:
x
x
x
x
x
A decision centre, the plant management control station;
Three operational centres;
The local unit control station, in the control room;
The site radiological monitoring control station;
The site logistic control station (transport, fluids, etc.).
This plan is co-ordinated with the off-site action plans by means of three mutually
adopted levels of application:
x Level 1 : Accident without radiological hazards but requiring assistance from outside
emergency teams;
x Level 2 : Accident with radiological hazards confined to the site;
x Level 3 : Radiological accident involving or liable to involve health consequences beyond
the site.
333
Appendix IV
LIST OF THE IAEA SAFETY REQUIREMENTS AND GUIDES
1. Governmental organization
GS-R-1
Legal and governmental infrastructure for nuclear, radiation, radioactive waste
and transport safety
GS-G-1.1
Safety Guides
Organization and staffing of the regulatory body for nuclear facilities
GS-G-1.2
Review and assessment of nuclear facilities by the regulatory body
GS-G-1.3
Regulatory inspection of nuclear facilities and enforcement by the regulatory
body
In preparation
Documentation to be produced or required in regulating nuclear facilities
50-SG-G6
Preparedness of public authorities for emergencies at nuclear power plants
2. Siting
50-C-S (Rev. 1)
Code on the safety of nuclear power plants: siting
50-SG-S1
Safety Guides
Earthquakes and associated topics in relation to nuclear power plant siting
50-SG-S3
Atmospheric dispersion in nuclear power plant siting
50-SG-S4
Site selection and evaluation for nuclear power plants with respect to
population distribution
50-SG-S5
External man-induced events in relation to nuclear power plant siting
50-SG-S6
Hydrological dispersion of radioactive material in relation to nuclear power
plant siting
50-SG-S7
Nuclear power plant siting: hydrogeological aspects
50-SG-S8
Safety aspects of the foundations of nuclear power plants
50-SG-S9
Site survey for nuclear power plants
50-SG-S10A
Design basis flood for nuclear power plants on river sites
50-SG-S10B
Design basis flood for nuclear power plants on coastal sites
334
50-SG-S11A
Extreme meteorological events in nuclear power plant siting, excluding
tropical cyclones
50-SG-S11B
Design basis tropical cyclone for nuclear power plants
3. Design
NS-R-1
Code on the safety of nuclear power plants: design
NS-G-1.1
Safety Guides
Software for computer based systems important to safety in nuclear
power plants
NS-G-1.2
Safety assessment and verification for nuclear power plants
NS-G-1.3
Instrumentation and control systems important to safety in nuclear
power plants
50-SG-D2 (Rev.1)
Fire Protection in nuclear power plants
50-G-D4
Protection against internally generated missiles and
their secondary effects in nuclear power plants
50-SG-D5 (Rev. 1)
External man-induced events in relation to nuclear
power plant design
50-SG-D6
Ultimate heat sink and directly associated heat transport
systems for nuclear power plants
50-SG-D7 (Rev. 1)
Emergency power systems at nuclear power plants
50-SG-D9
Design aspects of radiation protection for nuclear power plants
50-SG-D10
Fuel handling and storage systems in nuclear power plants
50-SG-D12
Design of the reactor containment systems in nuclear power plants
50-SG-D13
Reactor coolant and associated systems in nuclear power plants
50-SG-D14
Design for reactor core safety in nuclear power plants
50-SG-D15
Seismic design and qualification for nuclear power plants
335
4. Operation
NS-R-2
Safety of nuclear power plants: operation
Safety Guides
NS-G-2.1
Fire safety in operation of nuclear power plants
NS-G-2.2
Operational limits and conditions for nuclear power plants
NS-G-2.3
Modifications to nuclear power plants
NS-G-2.4
The operating organization for nuclear power plants
NS-G-2.5
Safety aspects of core management and fuel handling for nuclear power p
NS-G-2.6
Maintenance, surveillance and in-service inspection in nuclear
power plants
50-SG-O1 (Rev. 1)
Staffing of nuclear power plants and the recruitment, training and
authorization of operating personnel
NS-G-2.7
Radiation protection and radioactive waste management in the
operation of nuclear power plants
50-SG-O4
Commissioning procedures for nuclear power plants
50-SG-O6
Preparedness of the operating organization (licensee) for
emergencies at nuclear power plants
50-SG-O12
Periodic safety review of operational nuclear power plants
5. Quality assurance
50-C/SG-Q
336
Quality assurance for safety in nuclear power plants and
nuclear installations: Code and Safety Guides Q1–Q14
50-SG-Q1
Establishing and implementing a quality assurance programme
50-SG-Q2
Non-conformance control and corrective actions
50-SG-Q3
Document control and records
50-SG-Q4
Inspection and testing for acceptance
50-SG-Q5
Assessment of the implementation of the quality assurance programme
50-SG-Q6
Quality assurance in procurement of items and services
50-SG-Q7
Quality assurance in manufacturing
50-SG-Q8
Quality assurance in research and development
50-SG-Q9
Quality assurance in siting
50-SG-Q10
Quality assurance in design
50-SG-Q11
Quality assurance in construction
50-SG-Q12
Quality assurance in commissioning
50-SG-Q13
Quality assurance in operation
50-SG-Q14
Quality assurance in decommissioning
Safety practices
50-P-1
Application of the single failure criterion
50-P-2
In-service inspection of nuclear power plants: A manual
50-P-3
Data collection and record keeping for the management of nuclear
power plant ageing
50-P-4
Procedures for conducting probabilistic safety assessments of nuclear
power plants (Level 1)
50-P-5
Safety assessment of emergency power systems for nuclear power plants
50-P-6
Inspection of fire protection measures and fire fighting capability at
nuclear power plants
50-P-7
Treatment of external hazards in probabilistic safety assessment for
nuclear power plants
50-P-8
Procedures for conducting probabilistic safety assessments of nuclear
power plants (Level 2): accident progression, containment analysis and e
of accident source terms
50-P-9
Evaluation of fire hazard analyses for nuclear power plants
50-P-10
Human reliability analysis in probabilistic safety assessment for nuclear
power plants
50-P-11
Assessment of the overall fire safety arrangements at nuclear power
plants
50-P-12
Procedures for conducting probabilistic safety assessments of nuclear
power plants (Level 3): off-site consequences and estimation of risks to
the public
337
APPENDIX V — LIST OF FINNISH YVL GUIDES
General guides
YVL 1.0
YVL 1.1
YVL 1.2
YVL 1.3
YVL 1.4
YVL 1.5
YVL 1.6
YVL 1.7
YVL 1.8
YVL 1.9
YVL 1.11
YVL 1.13
YVL 1.14
YVL 1.15
YVL 1.16
Systems
YVL 2.1
YVL 2.2
YVL 2.3
YVL 2.4
YVL 2.5
YVL 2.6
YVL 2.7
YVL 2.8
Safety criteria for design of nuclear power plants, 12 January 1996
Finnish Centre for Radiation and Nuclear Safety as the regulatory authority for
the use of nuclear energy, 27 January 1992
Documents pertaining to safety control of nuclear facilities, 11 September 1995
Mechanical components and structures of nuclear power facilities. Inspection
licences, 22 October 1996 (in Finnish)
Quality assurance of nuclear power plants, 20 September 1991
Reporting nuclear power plant operation to the Finnish Centre for Radiation and
Nuclear Safety, 1 January 1995
Nuclear power plant operator licensing, 9 October 1995
Functions important to nuclear power plant safety, and training and qualification
of personnel, 28 December 1992
Repairs, modifications and preventive maintenance at nuclear facilities,
2 October 1986
Quality assurance during operation of nuclear power plants, 13 November 1991
Nuclear power plant operating experience feedback, 22 December 1994
Nuclear power plant outages, 9 January 1995
Mechanical components and structures of nuclear facilities, control of
manufacturing, , 4 October 1999 (in Finnish)
Mechanical components and structures in nuclear installations, construction
inspection, 19 December 1995 (in Finnish)
Control of nuclear liability insurance policies, 22 March 2000 (in Finnish).
Safety classification of nuclear power plant systems, structures and components,
22 May 1992
Transient and accident analyses for justification of technical solutions at nuclear
power plants, 18 January 1996
Preinspection of nuclear power plant systems, 14 August 1975
Primary and secondary circuit pressure control at a nuclear power plant,
18 January 1996
Pre-operational and start-up testing of nuclear power plants, 8 January 1991
Provision against earthquakes affecting nuclear facilities, 19 December 1988
Ensuring a nuclear power plant’s safety functions in provision for failures,
20 May 1996
Probabilistic safety analyses (PSA), 20 December 1996
Pressure vessels
YVL 3.0
Regulatory control of pressure vessels in nuclear facilities. General guidelines,
11 September 1996
YVL 3.1
Construction plan for nuclear facility pressure vessels, 27 May 1997 (in
Finnish)
YVL 3.3
Pressure vessels of nuclear facilities. Piping, 4 December 1996 (in Finnish)
338
YVL 3.4
YVL 3.7
YVL 3.8
YVL 3.9
Nuclear power plant pressure vessels. Manufacturer’s competence, 16 December
1996 (in Finnish)
Pressure vessels of nuclear facilities. Commissioning inspection, 12 December
1991
Nuclear power plant pressure vessels. Inservice inspections, 13 December 1993
Nuclear power plant pressure vessels. Construction and welding filler materials,
6 April 1995 (in Finnish)
Buildings and structures
YVL 4.1
Concrete structures for nuclear facilities, 22 May 1992
YVL 4.2
Steel structures for nuclear facilities, 19 January 1987
YVL 4.3
Fire protection at nuclear facilities, 1st November 1999
Other structures and components
YVL 5.1
Nuclear power plant diesel generators and their auxiliary systems, 23 January
1997 (in Finnish)
YVL 5.2
Nuclear power plant electrical systems and equipment, 23 January. 1997 (in
Finnish)
YVL 5.3
Regulatory control of nuclear facility valves and their actuators, 7 February 1991
YVL 5.4
Supervision of safety relief valves in nuclear facilities, 6 April 1995 (in Finnish)
YVL 5.5
Supervision of electric and instrumentation systems and components at nuclear
facilities, 7 June 1985
YVL 5.6
Ventilation systems and components of nuclear power plants, 23 November
1993
YVL 5.7
Pumps at nuclear facilities, 23 November 1993 (in Finnish)
YVL 5.8
Hoisting appliances and fuel handling equipment at nuclear facilities, 5 January
1987
Nuclear materials
YVL 6.1
Control of nuclear fuel and other nuclear materials required in the operation of
nuclear power plants, 19 June 1991
YVL 6.2
Fuel design limits and general design criteria, 1 November 1993
YVL 6.3
Supervision of fuel design and manufacture, 15 September 1993
YVL 6.4
Transport packages for nuclear material and waste, 9 October 1995
YVL 6.5
Supervision of nuclear fuel transport, 12 October 1995 (in Finnish)
YVL 6.6
Surveillance of nuclear fuel performance, 5 November 1990
YVL 6.7
Quality assurance of nuclear fuel, 23 November 1993
YVL 6.8
Handling and storage of nuclear fuel, 13 November 1991
YVL 6.9
The national system of accounting for and control of nuclear material,
23 September 1999 (in Finnish)
YVL 6.10 Reports to be submitted on nuclear materials, 23 September 1999 (in Finnish)
YVL 6.11 Physical protection of nuclear power plants, 13 July 1992 (in Finnish)
YVL 6.21
Physical protection of nuclear fuel transports, 15 Feb. 1988 (in Finnish)
Radiation protection
YVL 7.1
YVL 7.2
Limitation of public exposure in the environment of and limitation of radioactive
releases from nuclear power plants, 14. December 1992
Evaluation of population doses in the vicinity of a nuclear power plant,
23 January 1997 (in Finnish)
339
YVL 7.3
YVL 7.4
YVL 7.5
YVL 7.6
YVL 7.7
YVL 7.8
YVL 7.9
YVL 7.10
YVL 7.11
YVL 7.18
Evaluation of models for calculating the dispersion of radioactive substances
from nuclear power plants, 23 January 1997 (in Finnish)
Nuclear power plant emergency response arrangements, 23 January 1997 (in
Finnish)
Meteorological measurements of nuclear power plants, 28 December 1990
Monitoring of discharges of radioactive substances from nuclear power plants,
13 July 1992
Radiation monitoring in the environment of nuclear power plants,
11 December 1995
Environmental radiation safety reports of nuclear power plants, 11 December
1995 (in Finnish)
Radiation protection of nuclear power plant workers, 14 December 1992
Monitoring of occupational exposure at nuclear power plants, 29 August 1994
Radiation monitoring systems and equipment for nuclear power plants,
20 December 1996 (in Finnish)
Radiation protection in the design of nuclear power plants, 20 December 1996
(in Finnish)
Radioactive waste management
YVL 8.1
YVL 8.2
YVL 8.3
Disposal of reactor waste, 20 September 1991
Exemption from regulatory control of nuclear wastes, 19 March 1992
Treatment and storage of radioactive waste at a nuclear power plant, 20 August
1996
The YVL-guides without any language marking are available both in English and
Finnish.
340
Appendix VI
IAEA INTERNATIONAL NUCLEAR EVENTS SCALE (INES)
General description of the scale: The International Nuclear Event Scale (INES) is a means
for promptly communicating to the public in consistent terms the safety significance of events
reported at nuclear installations. By putting events into proper perspective, the Scale can ease
common understanding among the nuclear community, the media, and the public. It was
designed by an international group of experts convened jointly in 1989 by the International
Atomic Energy Agency (IAEA) and the Nuclear Energy Agency (NEA) of the Organization
for Economic Co-operation and Development. The Scale also reflects the experience gained
from the use of similar scales in France and Japan as well as from consideration of possible
scales in several other countries.
341
x The Scale was initially applied for a trial period to classify events at nuclear power plants
and then extended and adapted to enable it to be applied to any event associated with
radioactive material and/or radiation and to any event occurring during transport of
radioactive material. It is now operating successfully in over 60 countries.
The INES Information Service, the communication network built up on request
receives from and disseminates to the INES National Officers of 60 Member States, Event
Rating Forms that provide authoritative information related to nuclear events. Event Rating
Forms are circulated when events are significant for:
x Operational safety (INES level 2 and above).
x Public interest (INES level 1 and below).
The communication process has therefore led each participating country to set up a
structure which ensures that all events are promptly rated using the INES rating procedure to
facilitate communication whenever they have to be reported outside.
Events are classified on the Scale at 7 levels; the upper levels (4–7) are termed
accidents and the lower levels (1–3) incidents. Events which have no safety significance are
classified below scale at level 0 and are termed “deviations”. Events which have no safety
relevance are termed “out of scale”. The structure of the Scale is shown opposite, in the form
of a matrix with key words. Each level is defined in detail within the INES User’s Manual.
Events are considered in terms of three safety attributes or criteria represented by each of the
columns: off-site impact, on-site impact, and defence-in-depth degradation.
The second column in the matrix relates to events resulting in off-site releases of
radioactivity. Since this is the only consequence having a direct effect on the public, such
releases are understandably of particular concern. Thus, the lowest point in this column
represents a release giving the critical group an estimated radiation dose numerically
equivalent to about one-tenth of the annual dose limit for the public; this is classified as level
3. Such a dose is also typically about one-tenth of the average annual dose received from
natural background radiation. The highest level is a major nuclear accident with widespread
health and environmental consequences.
The third column considers the on-site impact of the event. This category covers a
range from level 2 (contamination and/or overexposure of a worker) to level 5 (severe damage
to the reactor core or radiological barriers).
All nuclear facilities are designed so that a succession of safety layers act to prevent
major on-site or off-site impact and the extent of the safety layers provided generally will be
commensurate with the potential for on- and off-site impact. These safety layers must all fail
before substantial off-site or on-site consequences occur. The provision of these safety layers
is termed “defence-in-depth”. The fourth column of the matrix relates to incidents at nuclear
installations or during the transportation of radioactive materials in which these defence-indepth provisions have been degraded. This column spans the incident levels 1–3.
An event which has characteristics represented by more than one criterion is always
classified at the highest level according to any one criterion.
342
Events which do not reach the threshold of any of the criteria are rated below scale at
level 0.
The back page of this leaflet gives typical descriptions of events at each level together
with examples of the classification of nuclear events which have occurred in the past at
nuclear installations.
Using the Scale
x The detailed rating procedures are provided in the INES User’s Manual. This leaflet
should not be used as the basis for rating events as it only provides examples of events at
each level, rather than actual definitions.
x Although the Scale is designed for prompt use following an event, there will be occasions
when a longer time-scale is required to understand and rate the consequences of an event.
In these rare circumstances, a provisional rating will be given with confirmation at a later
date. It is also possible that as a result of further information, an event may require
reclassification.
x The Scale does not replace the criteria already adopted nationally and internationally for
the technical analysis and reporting of events to Safety Authorities. Neither does it form a
part of the formal emergency arrangements that exist in each country to deal with
radiological accidents.
x Although the same Scale is used for all installations, it is physically impossible at some
types of installation for events to occur which involve the release to the environment of
considerable quantities of radioactive material. For these installations, the upper levels of
the Scale would not be applicable. These include research reactors, unirradiated nuclear
fuel treatment facilities, and waste storage sites.
x The Scale does not classify industrial accidents or other events which are not related to
nuclear or radiological operations. Such events are termed “out of scale”. For example,
although events associated with a turbine or generator can affect safety related equipment,
faults affecting only the availability of a turbine or generator would be classified as out of
scale. Similarly, events such as fires are to be considered out of scale when they do not
involve any possible radiological hazard and do not affect the safety layers.
x The Scale is not appropriate as the basis for selecting events for feedback of operational
experience, as important lessons can often be learnt from events of relatively minor
significance.It is not appropriate to use the Scale to compare safety performance among
countries. Each country has different arrangements for reporting minor events to the
public, and it is difficult to ensure precise international consistency in rating events at the
boundary between level 0 and level 1. The statistically small number of such events, with
variability from year to year, makes it difficult to provide meaningful international
comparisons.
x Although broadly comparable, nuclear and radiological safety criteria and the terminology
used to describe them vary form country to country. The INES has been designed to take
account of this fact.
343
Examples of rated nuclear events
x The 1986 accident at the Chernobyl nuclear power plant in the Soviet Union (now in
Ukraine) had widespread environmental and human health effects. It is thus classified as
Level 7.
x The 1957 accident at the Kyshtym reprocessing plant in the Soviet Union (now in Russia)
led to a large off-site release. Emergency measures including evacuation of the population
were taken to limit serious health effects. Based on the off-site impact of this event it is
classified as Level 6.
The 1957 accident at the air-cooled graphite reactor pile at Windscale (now Sellafield)
facility in the United Kingdom involved an external release of radioactive fission
products. Based on the off-site impact, it is classified as Level 5.
x The 1979 accident at Three Mile Island in the USA resulted in a severely damaged reactor
core. The off-site release of radioactivity was very limited. The event is classified as Level
5, based on the on-site impact.
x The 1973 accident at the Windscale (now Sellafield) reprocessing plant in the United
Kingdom involved a release of radioactive material into a plant operating area as a result
of an exothermic reaction in a process vessel. It is classified as Level 4, based on the onsite impact.
x The 1980 accident at the Saint-Laurent nuclear power plant in France resulted in partial
damage to the reactor core, but there was no external release of radioactivity. It is
classified as Level 4, based on the on-site impact.
x The 1983 accident at the RA-2 critical assembly in Buenos Aires, Argentina, an accidental
power excursion due to non-observance of safety rules during a core modification
sequence, resulted in the death of the operator, who was probably 3 or 4 metres away.
Assessments of the doses absorbed indicate 21 Gy for the gamma dose together with 22
Gy for the neutron dose. The event is classified as Level 4, based on the on-site impact.
x The 1989 incident at the Vandellos nuclear power plant in Spain did not result in an
external release of radioactivity, nor was there damage to the reactor core or contamination
on site. However, the damage to the plant’s safety systems due to fire degraded the
defence-in-depth significantly. The event is classified as Level 3, based on the defence-indepth criterion.
x The vast majority of reported events are found to be below Level 3. Although no examples
of these events are given here, countries using the Scale may individually wish to provide
examples of events at these lower levels.
344
Basic Structure of the Scale(Criteria given in matrix are broad indicators only)Detailed definitions are
provided in the INES User’s Manual
CRITERIA OR SAFETY ATTRIBUTES
OFF-SITE IMPACT
7 MAJOR ACCIDENT
6 SERIOUS ACCIDENT
5 ACCIDENT WITH
OFFSITE RISK
4 ACCIDENT
WITHOUT
SIGNIFICANT OFFSITE RISK
3 SERIOUS INCIDENT
MAJOR RELEASE:
WIDESPREAD HEALTH
AND ENVIRONMENTAL
EFFECTS
SIGNIFICANT RELEASE:
LIKELY TO REQUIRE FULL
IMPLEMENTATION OF
PLANNED COUNTERMEASURES
LIMITED RELEASE: LIKELY
TO REQUIRE PARTIAL
IMPLEMENTATION OF
PLANNED COUNTERMEASURES
MINOR RELEASE: PUBLIC
EXPOSURE OF THE ORDER
OF PRESCRIBED LIMITS
VERY SMALL RELEASE:
PUBLIC EXPOSURE AT A
FRACTION OF PRESCRIBED
LIMITS
2 INCIDENT
ON-SITE IMPACT
SEVERE DAMAGE TO
REACTOR CORE/
RADIOLOGICAL
BARRIERS
SIGNIFICANT
DAMAGE TO
REACTOR CORE/
RADIOLOGICAL
BARRIERS/FATAL
EXPOSURE OF A
WORKER
SEVERE SPREAD OF
CONTAMINATION/AC
UTE HEALTH EFFECTS
TO A WORKER
SIGNIFICANT SPREAD
OF
CONTAMINATION/OV
ER EXPOSURE OF A
WORKER
1 ANOMALY
0 DEVIATION
DEFENCE-IN-DEPTH
DEGRADATION
NEAR ACCIDENT NO
SAFETY LAYERS
REMAINING
INCIDENTS WITH
SIGNIFICANT FAILURES IN
SAFETY PROVISIONS
ANOMALY BEYOND THE
AUTHORIZED OPERATING
REGIME
NO
SAFETY
SIGNIFICANCE
345
The International Nuclear Event Scale For prompt communication of safety significance
LEVEL/DESCRI
PTOR
7 ACCIDENTS
MAJOR
ACCIDENT
6 SERIOUS
ACCIDENT
5 ACCIDENT
WITH OFFSITE RISK
4 ACCIDENT
WITHOUT
SIGNIFICAN
T OFF-SITE
RISK
3 INCIDENT
SERIOUS
INCIDENT
2 INCIDENT
1 ANOMALY
DEVIATIONS 0
BELOW SCALE
NATURE OF THE EVENTS
EXAMPLES
·
External release of a large fraction of the radioactive material in a large facility (e.g. the core of a
power reactor). This would typically involve a mixture of short and long-lived radioactive fission products
(in quantities radiologically equivalent to more than tens of thousands of terabecquerels of iodine-131).
Such a release would result in the possibility of acute health effects; delayed health effects over a wide
area, possibly involving more than one country; long-term environmental consequences.
·
External release of radioactive material (in quantities radiologically equivalent to the order of
thousands to tens of thousands of terabecquerels of iodine-131). Such a release would be likely to result in
full implementation of countermeasures covered by local emergency plans to limit serious health effects.
·
External release of radioactive material (in quantities radiologically equivalent to the order of
hundreds to thousands of terabecquerels of iodine-131). Such a release would be likely to result in partial
implementation of countermeasures covered by emergency plans to lessen the likelihood of health effects.·
Severe damage to the installation. This may involve severe damage to a large fraction of the core of a
power reactor, a major criticality accident or a major fire or explosion releasing large quantities of
radioactivity within the installation.
·
External release of radioactivity resulting in a dose to the critical group of the order of a few
millisieverts.* With such a release the need for off-site protective actions would be generally unlikely
except possibly for local food control.· Significant damage to the installation. Such an accident might
include damage leading to major on-site recovery problems such as partial core melt in a power reactor
and comparable events at non-reactor installations.· Irradiation of one or more workers resulting in an
overexposure where a high probability of early death occurs.
Chernobyl NPP, USSR
(now in Ukraine), 1986
·
External release of radioactivity resulting in a dose to the critical group of the order of tenths of
millisievert.* With such a release, off-site protective measures may not be needed. On-site events
resulting in doses to workers sufficient to cause acute health effects and/or an event resulting in a severe
spread of contamination for example a few thousand terabecquerels of activity released in a secondary
containment where the material can be returned to a satisfactory storage area.· Incidents in which a further
failure of safety systems could lead to accident conditions, or a situation in which safety systems would be
unable to prevent an accident if certain initiators were to occur.
·
Incidents with significant failure in safety provisions but with sufficient defence-in-depth remaining
to cope with additional failures. These include events where the actual failures would be rated at level 1
but which reveal significant additional organizational inadequacies or safety culture deficiencies.· An
event resulting in a dose to a worker exceeding a statutory annual dose limit and/or an event which leads
to the presence of significant quantities of radioactivity in the installation in areas not expected by design
and which require corrective action.
·
Anomaly beyond the authorized regime but with significant defence-in-depth remaining. This may be
due to equipment failure, human error or procedural inadequacies and may occur in any area covered by
the scale, e.g. plant operation, transport of radioactive material, fuel handling, waste storage. Examples
include: breaches of technical specifications or transport regulations, incidents without direct safety
consequences that reveal inadequacies in the organizational system or safety culture, minor defects in
pipework beyond the expectations of the surveillance programme.
·
Deviations where operational limits and conditions are not exceeded and which are properly managed
in accordance with adequate procedures. Examples include: a single random failure in a redundant system
discovered during periodic inspections or tests, a planned reactor trip proceeding normally, spurious
initiation of protection systems without significant consequences, leakages within the operational limits,
minor spreads of contamination within controlled areas without wider implications for safety culture.
Kyshtym Reprocessing Plant,
USSR(now in Russia), 1957
Windscale Pile, UK, 1957
Three Mile Island, NPP, USA,
1979
Windscale Reprocessing Plant,
UK, 1973
Saint-Laurent NPP, France,
1980
Buenos Aires, Critical
Assembly, Argentina, 1983
Vandellos NPP, Spain, 1989
NO SAFETY
SIGNIFICANCE
*The doses are expressed in terms of effective dose equivalent (whole dose body). Those criteria where
appropriate can also be expressed in terms of corresponding annual effluent discharge limits authorized by
National authorities.
346
Appendix VII
REGULATORY CONTROL OF NUCLEAR POWER PLANTS —
SYLLABUS AND EXAMPLE COURSE PROGRAMME (KARLSRUHE, 2000)
REGIONAL TRAINING COURSE ON REGULATORY CONTROL OF NPPs: SYLLABUS
1.
1.1
1.2.
1.3.
1.4.
1.5.
1.6.
1.7.
1.8.
LEGISLATIVE AND REGULATORY FRAMEWORK
IAEA approach
IAEA Safety Standards
International conventions
Legislative and statutory framework
Scope of legislation
Regulatory guidance
Safety criteria for nuclear power plants
Country specific examples
2.
2.1.
2.2.
2.3.
2.4.
2.5.
2.6.
2.7.
REGULATORY BODY
IAEA approach
Responsibilities and functions of the regulatory body
Organization and duties of the regulatory body
Licensing of a nuclear power plant
Quality assurance, self-assessment and performance reviews
Professionalism and training of the staff of the regulatory body
Country specific examples
3.
3.1.
3.2.
3.3.
3.4.
3.5.
3.6.
3.7.
ASSESSMENT OF SAFETY
IAEA approach
Stages of assessment
Assessment methodology3
Assessment of modifications
Assessment of operational experience in-house and worldwide
Periodic safety review assessments
Country specific examples
4.
4.1.
4.2.
4.3.
4.4.
4.5
4.6.
4.7.
INSPECTION ACTIVITIES
IAEA approach
Inspection programme, types of inspections
Inspection guidance
Implemention, methods of checking for compliance
Reporting results of inspections
Actions in response to non-compliance with regulatory requirements
Country specific examples
5.
5.1.
5.2
5.3
5.4
5.5.
DOCUMENTATION
IAEA approach
Documents generated within an authorization process
Documents generated by the operator
Documents generated by the regulatory body
Use and updating procedures for licence document
347
5.6. Country specific examples
6.
6.1
6.2.
6.3.
6.4.
6.5.
6.6.
6.7.
DEVELOPING SAFETY
IAEA approach to safety culture
Interface of regulator and operator
The role of regulator in developing safety
Assessment: detecting incipient weaknesses
Use of risk insights
The role of safety research
Country specific examples
7.
7.1.
7.2.
7.3.
7.4.
7.5.
7.6.
7.7.
EMERGENCY ARRANGEMENTS
IAEA approach to emergency response
Monitoring and assessment
Intervention
Plans, resources and equipment
Training and exercises
Communication
Country specific examples
8.
8.1.
8.2.
8.3.
8.4.
8.5.
8.6.
8.7.
COMMUNICATION WITH THE PUBLIC
IAEA approach to nuclear communications
Role of regulatory body
Reporting operating events
INES classification
Tools and methods
Crisis communication
Country specific examples
9.
TECHNICAL VISIT (highlight areas of inspection interest)
348
349
4.30–
5.00
3.40 4.30
2.403.30
Coffee
1.30 2.20
Lunch
11.4012.30
10.4011.30
Coffee
9.3010.20
8.30 9.20
TIME
Participant presentation
25 min
Group work on international
standards and conventions,
Aro, Stoiber
Regulatory body
Professionalism and training
of the regulatory staff (75
min)
Aro
Cont
Group work on participant
Highlights from Monday
issues, (4.40–6.00)
(2 participants)
Burkart, Schrammel
6.00
Welcome party
Regulatory body
National practices in Germany
Schatke
Regulatory Framework
National practices in Germany
Schatke
Regulatory Framework
Regulatory body
IAEA Requirements and
guidance
Delattre
Routine interaction between
authority, TÜV and NPP:
Contents, modes, levels,
responsibilities, documents
Reg. body, TÜV, GKN
Practical aspects of
inspections: Preparation,
Implementation, Support,
Evaluation, conclusions and
consequences,
Reporting
Regulatory body, TÜV,
GKN
Highlights from Tuesday and
Wednesday
(4 participants)
Cont.
Group Work on
developing safety
Aro, Stoiber, Roth, Reiman
Reiman
The use of risk insights in the
Finnish Regulatory Body
Highlights from Thursday
(2 participants)
Cont.
Examples of Regulatory
Guidance
US NRC regulatory
guidance
Stoiber
Group Work on regulatory
approaches and practices
in different countries
Aro, Stoiber, Reiman
REGIONAL TRAINING COURSE ON REGULATORY CONTROL OF NPPs, KARLSRUHE, GERMANY, 14–25 MAY 2001
Week 1
MONDAY, 14.05.01
TUESDAY, 15.05.01
WEDNESDAY, 16.05.01
THURSDAY, 17.05.01
FRIDAY, 18.05.01
Regulatory Body
Course Opening
Regulatory approach and
IAEA Safety Standards
Regulatory body/operator
Visit to NPP (GKN)
organization in Finland
interface
Welcome, Plant features
Burkart, Aro
Splitting up into groups
Reiman
Aro
Entrance procedures
Reiman
Quality assurance in the
Guidance on detecting
„Inspection“ of the plant:
Safety Fundamentals: Basic
Safety related international
regulatory body; Internal
weaknesses in safety and how
Containment, Control room
Safety Objectives
conventions
quality manual, national
to react
Turbine hall, Overview from
experiences
top of cooling tower
Aro
Delattre
Reiman
Reiman
Regulatory Guidance
Regulatory Framework
Convention on Nuclear Safety Qualification requirements
Cont.
German experiences to
Objectives, procedures for
promote safety
for NPP personnel in
development,
Germany
IAEA Guidance
Stoiber
Roth
Götz
Kalinowski
Examples of Regulatory
Regulatory body
Cont.
Cont.
Risk informed regulation in
Governmental organization
Guidance
the USA
for nuclear safety in USA
KTA Nuclear Safety
Standards
Stoiber
Stoiber
Stoiber
Kalinowski
350
Lipar, Burkart
Cont.
Highlights from Monday
(2 participants)
Libmann
Inspection Activities
IAEA guidance
Hughes
Highlights from Friday
(2 participants)
4.30–5.00
3.40–4.30
2.20–3.30
Safety assessment
Periodic safety review
Libmann
Developing safety in France
1.30 2.20
Coffee
Examples of licensing
documents: Emergency
manual
Gessler
Group Work
Case studies for assessment/
licensing
Libmann
Lunch
Participant presentation on
FSAR and regulatory
documents (25 min)
Regulatory Documents
Examples of licensing
documents:
Quality assurance manual
Ritter
Assessment of Safety
Assessment of plant
modifications
Lipar
Cont. Updating of
documents (25 min)
Lipar
Operational experience
feedback
Hughes
Documentation in the
regulatory body
IAEA guidance
Assessment of Safety
IAEA guidance
Stages of assessment
Hughes
11.40–
12.30
10.40–
11.30
Coffee
9.30–
10.20
8.30 9.20
TIME
Highlights from Tuesday
(2 participants)
Cont.
Regulatory body
Emergency arrangements
including exercise
Burkart, Schrammel
Wildermann
Reporting results
Compliance checking
Actions in response to noncompliance
Robbins
Wildermann
Inspection manual
Types of inspections
Examples
Objectives, arrangements for
inspection and inspectors
right for entry
Wildermann
Group Work
Presentation of results
Cont.
Highlights from Wednesday
(2 participants)
Hoffmann, Robbins
Group Work
Steps required for a specific
inspection
2 participant presentations
2 participant presentations
7.00 p.m.
Fare-well Party
Burkart, Delattre, Robbins
Feedback from every
participant on key points
they have learned and how
they will use them.
Course evaluation
Course closure
Delattre
INES
Delattre
IRRT experiences
Examples of inspections:
United Kingdom [1 h]
Robbins
Delattre
IAEA IRRT services to
review regulatory activities
Hoffmann
Examples of inspections:
Germany [1 h]
REGIONAL TRAINING COURSE ON REGULATORY CONTROL OF NPPs, KARLSRUHE, GERMANY, 14–25 MAY 2001
Week 2
MONDAY, 21.05.01
TUESDAY, 22.05.01
WEDNESDAY, 23.05.01
THURSDAY, 24.05.01
FRIDAY, 25.05.01
Regulatory body
Licensing of a NPP
Inspection programmes and
Inspection Activities
Regulatory body
Regulatory Documents
types of inspections
effectiveness and selfIAEA guidance
Licensing documents and
Investigations and
assessment, IAEA practices
their use, FSAR
enforcement
Slovak experience
Delattre
Robbins
Hughes
Robbins
Lipar
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
INTERNATIONAL ATOMIC ENERGY AGENCY, IAEA Bulletin 40 2 (1998).
INTERNATIONAL ATOMIC ENERGY AGENCY, Legal and Governmental
Infrastructure for Nuclear, Radiation, Radioactive Waste and Transport Safety,
Requirements, Safety Series No. GS-R-1, IAEA, Vienna (2000).
INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants:
Design, Safety Series No. NS-R-1, IAEA, Vienna (2000).
INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants:
Operation, Safety Series No. NS-R-2, IAEA, Vienna (2000).
INTERNATIONAL ATOMIC ENERGY AGENCY, Code Safety of Nuclear Power
Plants: Siting, Safety Series No. 50-C-S (Rev. 1), IAEA, Vienna (1998).
INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants:
Quality Assurance, Safety Series No. 50-C-QA (Rev. 1), IAEA, Vienna (1988).
INTERNATIONAL ATOMIC ENERGY AGENCY, Basic Safety Principles for
Nuclear Power Plants, No. 75-INSAG-12, (Rev. 1), IAEA, Vienna (1999).
INTERNATIONAL ATOMIC ENERGY AGENCY, The Safety of Nuclear
Installations, Safety Series No. 110 (1993).
INTERNATIONAL ATOMIC ENERGY AGENCY, Defence in Depth in Nuclear
Safety, No. 75-INSAG-10, (1996).
INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Culture, No. 75-INSAG-4,
(1991).
INTERNATIONAL ATOMIC ENERGY AGENCY, Convention on Nuclear Safety,
Legal Series No. 16, IAEA, Vienna (1994).
INTERNATIONAL ATOMIC ENERGY AGENCY, Convention on Early Notification
of a Nuclear Accident and Convention on Assistance in the Case of a Nuclear Accident
or Radiological Emergency, Legal Series No. 14, IAEA, Vienna (1987).
INTERNATIONAL ATOMIC ENERGY AGENCY, The Joint Convention on the
Safety of Spent Fuel Management and on the Safety of Radioactive Waste Management,
INFCIRC/546, IAEA.
INTERNATIONAL ATOMIC ENERGY AGENCY, Joint Protocol Relating to the
Application of the Vienna Convention and the Paris Convention, INFCIRC/402, IAEA.
OECD Nuclear Energy Agency, Committee on Nuclear Regulatory Activities,
Inspection Philosophy, Inspection Organizations and Inspection Practices, [OCDE/GD
(97)140], OECD/NEA, Paris (1997).
Radiation and Nuclear Safety Authority, Radiation and Nuclear Safety Authority as the
Regulatory Authority for the Use of Nuclear Energy, Guide YVL 1.1 (1992).
The Licensing and Supervisory Procedure for Nuclear Facilities in the Federal Republic
of Germany, Gesellschaft fuer Anlagen und Reaktorsicherheit (GRS)mbH (1988).
INTERNATIONAL ATOMIC ENERGY AGENCY, Guidelines for IAEA International
Regulatory Review Teams (IRRTs), IAEA-TECDOC-703, Vienna (1993).
ARO, I., Systematic Approach to Training, Experiences from the Training Activities of
Regulatory Personnel in STUK, Radiation and Nuclear Safety Authority, STUK-BYTV173, STUK, Helsinki (1998).
INTERNATIONAL ATOMIC ENERGY AGENCY, Training the Staff of the
Regulatory Body for Nuclear Facilities: A Competency Framework, IAEA-TECDOC1254, IAEA, Vienna (2001).
OECD Nuclear Energy Agency, Committee on Nuclear Regulatory Activities, Inspector
Qualification Guidelines, [(NEA/CNRA(94)1], OECD NEA, Paris (1994).
351
[22] Libmann, J. Elements of Nuclear Safety, EDP, France (1996).
[23] Radiation and Nuclear safety Authority, Repairs, Modifications and Preventive
Maintenance at Nuclear Facilities, Guide YVL 1.8 (1992).
[24] INTERNATIONAL ATOMIC ENERGY AGENCY, Periodic Safety Review of
Operational Nuclear Power Plants, Safety Series No. 50-SG-012, IAEA, Vienna (1994).
[25] INTERNATIONAL ATOMIC ENERGY AGENCY, Developing Safety Culture in
Nuclear Activities — Practical Suggestions to Assist Progress, Safety Report No. 11
(1999).
[26] INTERNATIONAL ATOMIC ENERGY AGENCY, Management of Operational Safety
in Nuclear Power Plants, No. 75-INSAG-13, IAEA, Vienna (1999).
[27] INTERNATIONAL ATOMIC ENERGY AGENCY, Intervention Criteria in a Nuclear
or Radiation Emergency, Safety Series No. 109, Vienna (1994).
[28] INTERNATIONAL ATOMIC ENERGY AGENCY, Method for the development of
emergency response preparedness for nuclear or radiological accidents, IAEATECDOC-953, Vienna (1997).
[29] INTERNATIONAL ATOMIC ENERGY AGENCY, Generic Assessment Procedures
for Determining Protective Actions during a Reactor Accident, IAEA-TECDOC-955,
Vienna (1997).
[30] INTERNATIONAL ATOMIC ENERGY AGENCY, Training Manual for Reactor
Accident Assessment and Response, Working Material, Vienna (1998).
[31] International Commission on Radiological Protection, Protection of the Public in the
Event of Major Radiation Accidents: Principles for Planning, Publication No. 40,
Pergamon Press, Oxford and New York (1984).
[32] International Commission on Radiological Protection, Principles for Intervention for
Protection of the Public in a Radiological Emergency, Publication No. 63, Pergamon
Press, Oxford and New York (1993).
[33] FOOD AND AGRICULTURE ORGANIZATION OF THE UNITED NATIONS,
INTERNATIONAL ATOMIC ENERGY AGENCY, INTERNATIONAL LABOUR
ORGANISATION, OECD NUCLEAR ENERGY AGENCY, PAN AMERICAN
HEALTH ORGANIZATION, WORLD HEALTH ORGANIZATION, International
Basic Safety Standards for Protection against Ionising Radiation and for the Safety of
Radiation Sources, Safety Series No. 115, IAEA, Vienna (1996).
[34] Commission Regulation (EURATOM) No. 770/90 of 29 March 1990 laying down
maximum permitted levels of radioactive contamination of feeding stuffs following a
nuclear accident or any other case of radiological emergency. (Official Journal of the
European Communities L-83 of 30/03/90).
[35] National Radiological Protection Board (NRPB), Board Statement on Emergency
Reference Levels. Documents of the NRPB, Vol. 1 No. 4, Chilton (1990).
[36] INTERNATIONAL ATOMIC ENERGY AGENCY, Generic Procedures for
Monitoring in a Nuclear or Radiological Emergency, IAEA-TECDOC-1092, IAEA,
Vienna (1999).
[37] INTERNATIONAL ATOMIC ENERGY AGENCY, Communications on Nuclear,
Radiation, Transport and Waste Safety: A Practical Handbook, TECDOC-1076, IAEA,
Vienna (1999).
[38] INTERNATIONAL ATOMIC ENERGY AGENCY, Proceedings of a Workshop on
Information to the Public, J. Laaksonen, K. Tossavainen, H. Hautakangas, O. Wiio
(Finland) and G. Wuenche (Sweden), Helsinki, (1995).
[39] INTERNATIONAL ATOMIC ENERGY AGENCY, INES Leaflet.
352
CONTRIBUTORS TO DRAFTING AND REVIEW
ARO, I.
International Atomic Energy Agency
BURKART, K.
Germany
CRICK, M.
International Atomic Energy Agency
DAHLGREN, K.
International Atomic Energy Agency
FIEDLER-POEHLMANN, A.
Germany
GOETZ, C.
Germany
HALL, A.
South Africa
HOFFMANN, B.
Germany
KALINOWSKI, I.
Germany
KRIZ, Z.
International Atomic Energy Agency
LACEY, D.
International Atomic Energy Agency
LEDERMAN, L.
International Atomic Energy Agency
LEMOINE, P.
International Atomic Energy Agency
LIBMANN, J.
France
McKENNA, T.
International Atomic Energy Agency
PHILIP, G.
International Atomic Energy Agency
RANGUELOVA, V.
International Atomic Energy Agency
REIMAN, L.
Finland
REUHL, P.
Germany
RITTER, J.
Germany
ROBBINS, M.
United Kingdom
ROTH, E.
Germany
SCHATTKE, H.
Germany
STOIBER, C.
United States of America
ZUBER, J.F.
Switzerland
353
TRAINING COURSE SERIES No. 15
Regulatory control of
nuclear power plants
Part B (Workbook)
INTERNATIONAL ATOMIC ENERGY AGENCY, VIENNA, 2002
The originating Section of this publication in the IAEA was:
Safety Co-ordination Section
International Atomic Energy Agency
Wagramer Strasse 5
P.O. Box 100
A-1400 Vienna, Austria
REGULATORY CONTROL OF NUCLEAR POWER PLANTS
PART B (WORKBOOK)
IAEA, VIENNA, 2002
IAEA–TCS–15
ISSN 1018–5518
© IAEA, 2002
Printed by the IAEA in Austria
September 2002
FOREWORD
The purpose of this workbook and the corresponding textbook is to support IAEA
training courses and workshops in the field of regulatory control of nuclear power plants as
well as to support the regulatory bodies of Member States in their own training activities. The
target group is the professional staff members of nuclear safety regulatory bodies supervising
nuclear power plants and having duties and responsibilities in the regulatory fields.
The workbook (Part B) contains learning objectives for each section of the textbook
(Part A) and exercises for individual studies to help the reader to focus on the important topics
and to control learning. The workbook also provides group tasks so that course participants
can compare their practices and learn from each other. This is achieved in the most effective
manner if participants first perform their individual exercises and then participate in the group
activity. The workbook also encourages learners to use the Internet by referring to some
regulatory bodies who display useful information on their home pages.
The structure of the textbook and workbook makes it possible to develop remote
learning arrangements either on individual bases or in the form of remote training courses
organized and supported by the IAEA and/or volunteer organization that would be willing to
provide training support.
The IAEA officer responsible for the publication was I. Aro of the Department of
Nuclear Safety. Ongoing responsibility lies with L. Lederman of the Division of Nuclear
Installation Safety.
EDITORIAL NOTE
The use of particular designations of countries or territories does not imply any judgement by the
publisher, the IAEA, as to the legal status of such countries or territories, of their authorities and
institutions or of the delimitation of their boundaries.
The mention of names of specific companies or products (whether or not indicated as registered) does
not imply any intention to infringe proprietary rights, nor should it be construed as an endorsement
or recommendation on the part of the IAEA.
CONTENTS
Introduction ................................................................................................................................ 1
Learning objectives for Section 1............................................................................................... 2
Learning objectives for Section 2............................................................................................... 3
Learning objectives for Section 3............................................................................................... 4
Learning objectives for Section 4............................................................................................... 5
Learning objectives for Section 5............................................................................................... 6
Learning objectives for Section 6............................................................................................... 7
Learning objectives for Section 7............................................................................................... 8
Learning objectives for Section 8............................................................................................... 9
Control questions to Section 1 ................................................................................................. 10
Control questions to Section 2 ................................................................................................. 27
Control questions to Section 3 ................................................................................................. 38
Control questions to Section 4 ................................................................................................. 50
Control questions to Section 5 ................................................................................................. 61
Control questions to Section 6 ................................................................................................. 66
Control questions to Section 7 ................................................................................................. 71
Control questions to Section 8 ................................................................................................. 75
INTRODUCTION
The workbook contains learning objectives for each section to support the instructors
and learners. The learning objectives suggest the following path to reach the learning
objectives: a) to follow the lectures, b) to read the respective text part, c) to perform the
exercises, d) to study the given IAEA references and e) to discuss with the tutor the
application of the IAEA practices at the national level, after which the learner is able to reach
the learning objectives. This implies much more than lectures during the training course. In
fact, it is suggested that the participation in the IAEA training course is only one step on the
learner’s way to comprehensive understanding of the subject matter: it is expected that the
Member States organizations support the development of trainees with other activities such as
on the job training e.g. on the basis of following workbook.
For each section there are control questions aimed at assisting the learner to remember
better the key issues of each respective section and to provide self-assessment of learning. In
addition, this course material offers specific tasks to be carried out individually in order to
encourage the learner to use Internet for finding useful information for comparison, to assist
the learner to apply the knowledge and to study his/her own national arrangements and to
compare them with international practices. The nomination of a personal tutor who would
check the answers and provide further information if necessary is of advantage. For each
section group activities are also proposed so that course participants from different horizons
can compare their practices and learn from each other.
1
LEARNING OBJECTIVES FOR SECTION 1
Legislative and Regulatory Framework
After following the lectures, studying the printed material, performing the exercises, studying
the given IAEA references and after discussing with the tutor the application of the IAEA
practices at the national level, the learner will be able to describe the following:
•
Fundamental international standards on nuclear safety i.e. IAEA Safety Standards and
nuclear safety related conventions;
•
IAEA Requirements on governmental legislation and organization for nuclear safety;
•
Safety Fundamentals and basic features of safety criteria for nuclear power plants;
•
Convention on Nuclear Safety: technical obligations and implementation process;
•
Obligations of other safety related conventions;
•
Fundamentals of national regulatory framework;
•
Legal pyramid and the role of national regulatory guidance;
•
Some national good practices on legal and regulatory frameworks;
•
National legal and regulatory framework in the learner’s own country;
•
Comparison of the learner’s own country with international practices.
FUNDAMENTAL REFERENCES (TO BE READ THOROUGHLY)
2
•
INTERNATIONAL ATOMIC ENERGY AGENCY, Convention on Nuclear Safety,
Legal Series No. 16 Vienna (1994).
•
INTERNATIONAL ATOMIC ENERGY AGENCY, The Safety of Nuclear
Installations, Safety Series No. 110, Vienna (1993).
•
INTERNATIONAL ATOMIC ENERGY AGENCY, Legal and Governmental
Infrastructure for Nuclear, Radiation, Radioactive Waste and Transport Safety, Safety
Series No. GS-R-1, IAEA, Vienna (2000).
LEARNING OBJECTIVES FOR SECTION 2
Regulatory Body
After following the lectures, studying the printed material, performing the exercises, studying
the given IAEA references and after discussing with the tutor the application of the IAEA
practices at the national level, the learner will be able to describe the following:
• IAEA guidance on regulatory organization and functions;
• Some national good practices on regulatory organizations;
• Licensing of a nuclear power plant;
• Some national practices on licensing;
• Quality assurance in the regulatory body;
• Regulatory effectiveness and performance reviews;
• Professionalism and training of the regulatory staff;
• National regulatory practices in the learner’s own country;
• Comparison of the learner’s own regulatory body with international practices.
FUNDAMENTAL REFERENCES (TO BE READ THOROUGHLY)
• INTERNATIONAL ATOMIC ENERGY AGENCY, Organization and Staffing of the
Regulatory Body for Nuclear Facilities, Safety Series No. GS-G-1.1, IAEA, Vienna (2002).
• OECD Nuclear Energy Agency, Committee on Nuclear Regulatory Activities, Inspection
Philosophy, Inspection Organizations and Inspection Practices, Report OCDE/GD (97)
140, OECD/NEA, Paris (1997).
• INTERNATIONAL ATOMIC ENERGY AGENCY, IAEA International Regulatory
Review Teams (IRRT), IAEA-TECDOC-703, IAEA, Vienna (1993).
3
LEARNING OBJECTIVES FOR SECTION 3
Assessment of Safety
After following the lectures, studying the printed material, performing the exercises, studying
the given IAEA references and after discussing with the tutor the application of the IAEA
practices at the national level, the learner will be able to describe the following:
• IAEA guidance on regulatory review and assessment function;
• IAEA guidance on review and assessment methodology;
• Defence in depth concept;
• Postulated initiating events;
• Analysis of fault conditions;
• Some national good practices on regulatory review and assessment;
• Assessment of modifications;
• Assessment of operational experience;
• Periodic safety review;
• National regulatory review and assessment practices in the learner’s own country;
• Comparison of the learner’s review and assessment practices with international practices.
FUNDAMENTAL REFERENCES (TO BE READ THOROUGHLY)
• INTERNATIONAL ATOMIC ENERGY AGENCY, Review and Assessment of Nuclear
Facilities by the Regulatory Body, Safety Guide GS-G-1.2, IAEA, Vienna (2002).
• INTERNATIONAL ATOMIC ENERGY AGENCY, Defence in Depth in Nuclear Safety,
Safety Series No. 75-INSAG-10, IAEA, Vienna (1996).
• INTERNATIONAL ATOMIC ENERGY AGENCY, Code on the Safety of Nuclear Power
Plants: Siting, Safety Series No. 50-C-S (Rev. 1), IAEA (1988).
• INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants:
Design, Safety Series No. NS-R-1, IAEA, Vienna (2000).
• INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants:
Operation, Safety Series No. NS-R-2, IAEA (2000).
• INTERNATIONAL ATOMIC ENERGY AGENCY, Periodic Safety Review of
Operational Nuclear Power Plants, Safety Series No. 50-SG-O12, IAEA (1994).
4
LEARNING OBJECTIVES FOR SECTION 4
Inspection and Enforcement by the Regulatory Body
After following the lectures, studying the printed material, performing the exercises, studying
the given IAEA references and after discussing with the tutor the application of the IAEA
practices at the national level, the learner will be able to describe the following:
• IAEA guidance on inspection and enforcement function;
• IAEA guidance on inspection and enforcement methods;
• Some national good practices on inspection and enforcement;
• Typical inspection programmes and types of inspection;
• Inspection planning, implementation and reporting;
• Inspection of plant modifications;
• Inspection of operational events;
• National inspection and enforcement practices in the learner’s own country;
• Comparison of the learner’s inspection and enforcement practices with international
practices.
FUNDAMENTAL REFERENCE (TO BE READ THOROUGHLY)
• INTERNATIONAL ATOMIC ENERGY AGENCY, Regulatory Inspection of Nuclear
Facilities and Enforcement by the Regulatory Body, Safety Series No. GS-G-1.3, IAEA,
Vienna (2002).
5
LEARNING OBJECTIVES FOR SECTION 5
Documentation
After following the lectures, studying the printed material, performing the exercises, studying
the given IAEA references and after discussing with the tutor the application of the IAEA
practices at the national level, the learner will be able to describe the following:
•
IAEA guidance on documentation used in regulatory activities;
• Licensing documents needed by the regulatory body from the applicant;
• Documents generated by the regulatory body within the licensing process of a NPP;
• Reporting by the NPP organization to the regulatory body;
• Some national good practices on regulatory documentation;
• The content and use of safety analysis report;
• Documents needed for plant modifications;
• Updating of documentation;
• National documentation practices in the learner’s own country;
• Comparison of the learner’s documentation practices with international practices.
FUNDAMENTAL REFERENCES (TO BE READ THOROUGHLY)
• INTERNATIONAL ATOMIC ENERGY AGENCY, Documentation to be Produced or
Required in Regulating Nuclear Facilities, Safety Standard Series GS-G-1.4, IAEA Vienna
(2002).
6
LEARNING OBJECTIVES FOR SECTION 6
Developing Safety
After following the lectures, studying the printed material, performing the exercises, studying
the given IAEA references and after discussing with the tutor the application of the IAEA
practices at the national level, the learner will be able to describe the following:
• IAEA guidance on development of safety culture;
• Stages of safety culture in an organization and its development;
• Role of regulator in the development of safety;
• Assessment of safety culture: detecting incipient weaknesses;
• Some national good practices on safety development;
• Risk informed and performance based regulation in the USA;
• National safety development practices in the learner’s own country;
• Comparison of the learner’s own country with international practices.
FUNDAMENTAL REFERENCES (TO BE READ THOROUGHLY)
• INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Culture, Safety Series No. 75INSAG-4, IAEA, Vienna (1991).
• INTERNATIONAL ATOMIC ENERGY AGENCY, Developing Safety Culture in Nuclear
Activities, Safety Report No. 11, IAEA, Vienna (1999).
• INTERNATIONAL ATOMIC ENERGY AGENCY, Management of Operational Safety in
Nuclear Power Plants, Safety Series No. 75-INSAG-13, IAEA, Vienna (1999).
7
LEARNING OBJECTIVES FOR SECTION 7
Emergency Arrangements
After following the lectures, studying the printed material, performing the exercises, studying
the given IAEA references and after discussing with the tutor the application of the IAEA
practices at the national level, the learner will be able to describe the following:
• IAEA guidance on emergency response;
• Warning emergency management authorities;
• Assessment, monitoring and measurement;
• Intervention;
• Emergency plans, facilities and equipment; training;
• Communication;
• National emergency response practices in the learner’s own country;
• Comparison of the learner’s own country with international practices.
FUNDAMENTAL REFERENCES (TO BE READ THOROUGHLY)
• INTERNATIONAL ATOMIC ENERGY AGENCY, Intervention Criteria in a Nuclear or
Radiation Emergency, Safety Standards Series No. 109, Vienna (1994).
• INTERNATIONAL ATOMIC ENERGY AGENCY, Method for the Development of
Emergency Response Preparedness for Nuclear or Radiological Accidents, IAEATECDOC-953, Vienna (1997).
• INTERNATIONAL ATOMIC ENERGY AGENCY, Generic Assessment Procedures for
Determining Protective Actions during a Reactor Accident, IAEA-TECDOC-955, Vienna
(1997).
• INTERNATIONAL ATOMIC ENERGY AGENCY, Training Manual for Reactor
Accident Assessment and Response, Working Material, Vienna (1998).
8
LEARNING OBJECTIVES FOR SECTION 8
Communication with the Public
After following the lectures, studying the printed material, performing the exercises, studying
the given IAEA references and after discussing with the tutor the application of the IAEA
practices at the national level, the learner will be able to describe the following:
• IAEA guidance on public communication;
• INES scale;
• Role of the regulatory body in public communication;
• Public communication during normal operation;
• Public communication during emergencies;
• National practices in public communication in the learner’s own country;
• Comparison of the learner’s own country with international practices.
FUNDAMENTAL REFERENCES (TO BE READ THOROUGHLY)
• INTERNATIONAL ATOMIC ENERGY AGENCY, Communications on Nuclear,
Radiation, Transport and Waste Safety: A Practical Handbook, TECDOC-1076, Vienna
(1999).
• INTERNATIONAL ATOMIC ENERGY AGENCY, INES Leaflet.
9
CONTROL QUESTIONS TO SECTION 1
The objective of these questions is to assist the learner to remember better the key issues of
Section 1 and to provide self-assessment of learning. Please write your answers on the empty
spaces reserved for the purpose. If agreed your personal tutor can check your answers. The
right answers are found from the respective parts of textbook handling the topic. If you do not
know the answer read the text carefully again.
1.
According to the IAEA Requirements, list 5 most important topics, arrangements or
organizations which government must establish for ensuring nuclear safety.
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
2.
What is said about the operators’ responsibility in the IAEA Requirements?
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
3.
According to the IAEA Requirements, list 5 important governmental topics which shall
appear in the legislation (other than mentioned in the answer to question 1).
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
10
4.
List 5 international conventions that have something to do with nuclear safety.
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
5.
Explain the role of international safety related conventions in the Member State.
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
6.
Explain the implementation process related to the Convention on Nuclear Safety.
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
7.
Explain a) the role of Member State in the IAEA Safety Standards’ development process
and b) the role of IAEA Safety Standards in the Member State.
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
11
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
8.
Explain the hierarchy of IAEA Safety Standards and compare them against the member
state rules and regulations.
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
9.
What is the difference (status and content) between technical requirements presented in
the Convention on Nuclear Safety and in the IAEA Safety Fundamentals.
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
10.
List the 5 IAEA Requirements documents which have something to do with nuclear
safety.
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
12
11.
What are the 3 main safety objectives mentioned by the IAEA Safety Standards and
what do they say (in your own words)?
1.__________________________________________________________________________
___________________________________________________________________________
2.__________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
3.__________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
12.
List and explain 5 safety principles reflecting technical (design) aspects of safety,
mentioned in the IAEA Safety Fundamentals (in your own words).
1.__________________________________________________________________________
___________________________________________________________________________
2.__________________________________________________________________________
___________________________________________________________________________
3.__________________________________________________________________________
___________________________________________________________________________
4.__________________________________________________________________________
___________________________________________________________________________
5.__________________________________________________________________________
___________________________________________________________________________
13
13.
List and explain 3 safety principles reflecting “direct” operational safety aspects,
mentioned in the IAEA Safety Fundamentals (in your own words).
1.____________________________________________________
Download